[Snort-sigs] Fw: CVE-2017-6316 Signature

Y M snort at outlook.com
Mon Jul 31 08:29:04 EDT 2017

Sent these to the old list address.


Below signature is derived from the references available within the signature. May be split the signature into two, one for CloudBridge and the other for the SDN version? No pcap is available, sorry.

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Citrix NetScaler CloudBridge/SD-WN session cookie privilege escalation attempt"; flow:to_server; content:"POST"; http_method; content:"/global_data/"; fast_pattern:only; http_uri; pcre:"/Cookie\x3a\x20(CGISESSID|CAKEPHP)\x3d[a-f0-9]{32}\x60/H"; reference:cve,2017-6316; reference:url,support.citrix.com/article/CTX225990; reference:url,vuldb.com/?id.104319; reference:url,www.exploit-db.com/exploits/42345/; metadata:ruleset community, service http; classtype:attempted-admin; sid:110001; rev:1;)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170731/a7edb209/attachment.html>

More information about the Snort-sigs mailing list