[Snort-sigs] new sig for detecting Apache / PHP RCE
rmkml at ...174...
Wed Oct 30 18:23:28 EDT 2013
Hi Joel, VRT, SF, Cisco,
I have created this community rule without previously checking if you covered or not.
(because @Kingcope posted recently exploit)
ok I'm check your rules and 22064 + 22097 and not covered exactly this exploit.
(22064 + 22097 need \? and after -s)
but thx 22063 fire.
On Wed, 30 Oct 2013, Joel Esler wrote:
> This is CVE: 2012-1823, covered by sids: 22063, 22064, and 22097.
> Are you not seeing these rules fire?
> Joel Esler
> AEGIS Intelligence Lead
> OpenSource Community Manager
> Vulnerability Research Team, Sourcefire
> On Oct 30, 2013, at 5:30 PM, rmkml <rmkml at ...174...> wrote:
> Created a new Community rule for detecting this exploit:
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Apache /
> PHP 5.x Remote Code Execution Kingcope attempt"; flow:to_server,established;
> content:"POST"; nocase; http_method; content:"/cgi-bin/php"; nocase; http_uri;
> content:"-d"; nocase; http_uri; distance:0; content:!"|0A|Referer|3a|"; nocase;
> http_header; pcre:"/^\/cgi\-bin\/php(?:||[\-\.]cgi)\?/Ui";
> reference:url,www.exploit-db.com/exploits/29290; classtype:attempted-admin;
> sid:95417; rev:1; )
> Please follow my new project http://etplc.org
> PS: Thx @Kingcope
More information about the Snort-sigs