CVE-2017-9097 signature

[Y M via Snort-sigs <snort-sigs () lists snort org>]

Hi,


The below signature attempts at detecting directory traversal on the affected system. Subsequent attacks use the 
retrieved credentials to perform rce.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web industrial OT directory traversal 
attempt"; flow:to_server,established; content:"POST"; http_method; content:"/cgi-bin/write.cgi"; fast_pattern:only; 
http_uri; content:"page=/"; http_client_body; content:"&template=../"; distance:0; http_client_body; metadata:ruleset 
community, service http; reference:cve,2017-9097; 
reference:url,github.com/ezelf/AntiWeb_testing-Suite/blob/master/LFI/anti-web-v1.py; classtype:attempted-user; 
sid:9000010; rev:1;)


Thanks.

YM

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!