[Snort-sigs] JBoss AS Exploit Sig

James Lay jlay at ...3266...
Tue Nov 19 10:50:06 EST 2013


Didn't see this in the current sets, so thought I'd make one:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS 
(msg:"SERVER-WEBAPP JBoss AS Exploit command"; 
flow:established,to_server; file_data; content:"pwn.jsp|3f|cmd="; 
http_uri; fast_pattern:only; metadata:policy balanced-ips drop, policy 
security-ips drop, ruleset community, service http; 
reference:url,blog.imperva.com/2013/11/threat-advisory-a-jboss-as-exploit-web-shell-code-injection.html; 
classtype:trojan-activity; sid:10000113; rev:1;)

James




More information about the Snort-sigs mailing list