[Snort-sigs] New Community sig for detecting Oracle WebCenter header injection

Joel Esler jesler at ...435...
Thu Apr 18 14:07:45 EDT 2013


The two rules we have for this will ship as:

26468
26469


In the community set.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Apr 18, 2013, at 1:43 PM, Joel Esler <jesler at ...435...> wrote:

> Wow, that was bad.
> 
> We actually have rules written for this in testing already, so we'll move these from our VRT set into the community set.
> 
> Joel
> 
> On Apr 18, 2013, at 12:39 PM, Joel Esler <jesler at ...435...> wrote:
> 
>> Rmkml,
>> 
>> We actually have rules for this written this already in testing already, so what we do is we'll do is move them from our VRT set into the community set.
>> 
>> Joel
>> 
>> On Apr 18, 2013, at 11:26 AM, Joel Esler <jesler at ...435...> wrote:
>> 
>>> Thanks!  We'll take a look!
>>> 
>>> On Apr 17, 2013, at 4:15 PM, rmkml <rmkml at ...174...> wrote:
>>> 
>>>> Hi,
>>>> 
>>>> Please find offer a new sig for community for detecting Oracle WebCenter header injection:
>>>> 
>>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
>>>> msg:"WEB-MISC Oracle WebCenter (FatWire) header injection on blobheadername2 and blobheadervalue2 attempt";
>>>> flow:to_server,established; content:"blobheadername2="; nocase; http_uri; content:"blobheadervalue2=";
>>>> nocase; http_uri; pcre:"/[\?\&]blobheadervalue2\=[^\&]*?[\x00-\x25\x27-\x2f\x3a-\x40\x5b-\x60\x7b-\xff]/Ui";
>>>> reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:1; rev:1;)
>>>> 
>>>> Don't remember adjust snort variables.
>>>> 
>>>> Please post any comments?
>>>> 
>>>> Happy Detect
>>>> Rmkml
>>>> 
>>>> http://twitter.com/rmkml
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Precog is a next-generation analytics platform capable of advanced
>>>> analytics on semi-structured data. The platform includes APIs for building
>>>> apps and a phenomenal toolset for data science. Developers can use
>>>> our toolset for easy data analysis & visualization. Get a free account!
>>>> http://www2.precog.com/precogplatform/slashdotnewsletter
>>>> _______________________________________________
>>>> Snort-sigs mailing list
>>>> Snort-sigs at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>> http://www.snort.org
>>>> 
>>>> 
>>>> Please visit http://blog.snort.org for the latest news about Snort!
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130418/46c27857/attachment.html>


More information about the Snort-sigs mailing list