[Snort-sigs] Fw: CVE-2017-9810, CVE-2017-9812 Signatures

Y M snort at outlook.com
Mon Jul 31 08:29:43 EDT 2017


Hello,


Below two rules are also derived from the references withing the signatures. No pcaps available.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Kaspersky Linux File Server WMC cross site request forgery attempt"; flow:to_client,established; file_data; content:"/cgi-bin/cgictl?action=setTaskSettings"; fast_pattern:only; content:"taskId="; nocase; content:"settings=|7B|"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-9810; reference:url,www.coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:attempted-admin; sid:110002; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Kaspersky Linux File Server WMC path traversal attempt"; flow:to_server,established; content:"/cgi-bin/cgictl?action=getReportStatus"; fast_pattern:only; content:"&reportId=../"; distance:0; http_uri; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2017-9812; reference:url,www.coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:attempted-admin; sid:110003; rev:1;)


Thanks.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170731/99f70fb2/attachment.html>


More information about the Snort-sigs mailing list