[Snort-sigs] New Community sig for detecting Oracle WebCenter header injection

Joel Esler jesler at ...435...
Thu Apr 18 11:26:35 EDT 2013


Thanks!  We'll take a look!

On Apr 17, 2013, at 4:15 PM, rmkml <rmkml at ...174...> wrote:

> Hi,
> 
> Please find offer a new sig for community for detecting Oracle WebCenter header injection:
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
>  msg:"WEB-MISC Oracle WebCenter (FatWire) header injection on blobheadername2 and blobheadervalue2 attempt";
>  flow:to_server,established; content:"blobheadername2="; nocase; http_uri; content:"blobheadervalue2=";
>  nocase; http_uri; pcre:"/[\?\&]blobheadervalue2\=[^\&]*?[\x00-\x25\x27-\x2f\x3a-\x40\x5b-\x60\x7b-\xff]/Ui";
>  reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:1; rev:1;)
> 
> Don't remember adjust snort variables.
> 
> Please post any comments?
> 
> Happy Detect
> Rmkml
> 
> http://twitter.com/rmkml
> 
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list