[Snort-sigs] New rule offered for detecting Zimbra conf/localconfig.xml attempt

rmkml rmkml at ...174...
Wed Jan 15 16:01:36 EST 2014


I'm offer a new rule for detecting Zimbra conf/localconfig.xml attempt.

Warn: Zimbra run over HTTPS (no pb with etplc).

alert tcp any any -> any $HTTPS_PORTS (msg:"WEB-MISC Zimbra conf/localconfig.xml attempt"; flow:to_server,established; 
content:"conf/localconfig.xml"; nocase; http_uri; reference:cve,2013-7091; reference:bugtraq,64149; reference:osvdb,100747; 
reference:exploitdb,30472; reference:cxsecurity,WLB-2013120097; classtype:web-application-attack; sid:1; rev:1; )

Please check all variables before use.

Discovered during my new project http://etplc.org

All comments are welcome.


More information about the Snort-sigs mailing list