[Snort-sigs] new sig for detecting Apache / PHP RCE

rmkml rmkml at ...174...
Wed Oct 30 18:23:28 EDT 2013


Hi Joel, VRT, SF, Cisco,

I have created this community rule without previously checking if you covered or not.
(because @Kingcope posted recently exploit)

ok I'm check your rules and 22064 + 22097 and not covered exactly this exploit.
(22064 + 22097 need \? and after -s)

but thx 22063 fire.

Best Regards
@Rmkml

On Wed, 30 Oct 2013, Joel Esler wrote:

> rmkml,
> This is CVE: 2012-1823, covered by sids: 22063, 22064, and 22097.
> 
> Are you not seeing these rules fire?
> 
> --
> Joel Esler
> AEGIS Intelligence Lead
> OpenSource Community Manager
> Vulnerability Research Team, Sourcefire
> 
> On Oct 30, 2013, at 5:30 PM, rmkml <rmkml at ...174...> wrote:
>
>       Hi,
>
>       Created a new Community rule for detecting this exploit:
>
>       alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Apache /
>       PHP 5.x Remote Code Execution Kingcope attempt"; flow:to_server,established;
>       content:"POST"; nocase; http_method; content:"/cgi-bin/php"; nocase; http_uri;
>       content:"-d"; nocase; http_uri; distance:0; content:!"|0A|Referer|3a|"; nocase;
>       http_header; pcre:"/^\/cgi\-bin\/php(?:|[45]|[\-\.]cgi)\?/Ui";
>       pcre:"/\b(?:proc_open\s*\(|pcntl_fork\s*\(|chdir\s*\(|umask\s*\()/Psi";
>       reference:url,www.exploit-db.com/exploits/29290; classtype:attempted-admin;
>       sid:95417; rev:1; )
>
>       Please follow my new project http://etplc.org
>
>       Regards
>       @Rmkml
>
>       PS: Thx @Kingcope


More information about the Snort-sigs mailing list