[Snort-sigs] New Community sig for detecting Oracle WebCenter header injection

rmkml rmkml at ...174...
Wed Apr 17 16:15:45 EDT 2013


Hi,

Please find offer a new sig for community for detecting Oracle WebCenter header injection:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
  msg:"WEB-MISC Oracle WebCenter (FatWire) header injection on blobheadername2 and blobheadervalue2 attempt";
  flow:to_server,established; content:"blobheadername2="; nocase; http_uri; content:"blobheadervalue2=";
  nocase; http_uri; pcre:"/[\?\&]blobheadervalue2\=[^\&]*?[\x00-\x25\x27-\x2f\x3a-\x40\x5b-\x60\x7b-\xff]/Ui";
  reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:1; rev:1;)

Don't remember adjust snort variables.

Please post any comments?

Happy Detect
Rmkml

http://twitter.com/rmkml




More information about the Snort-sigs mailing list