[Snort-sigs] New sig for detecting OTRS Installation Dialog (after auth)

Tyler Montier tmontier at ...435...
Thu Jun 8 16:50:16 EDT 2017


Rmkml,

Thanks for your submission. We will review the rule and get back to you
when it's finished.

Sincerely,

Tyler Montier
Cisco Talos

On Thu, Jun 8, 2017 at 3:35 PM, rmkml <rmkml at ...4129...> wrote:

> Hi,
>
> Please check a new sig for detecting OTRS Installation Dialog (after auth)
> attempt:
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PERL
> OTRS Installation Dialog (after auth) attempt"; flow:to_server,established;
> content:"/otrs/index.pl?Action=Installer"; nocase; http_uri;
> classtype:web-application-activity; reference:cve,2017-9324; sid:1;
> rev:1; )
>
> Don't forget check variables.
>
> Please send any comments.
>
> Regards
> @Rmkml
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170608/e0830c35/attachment.html>


More information about the Snort-sigs mailing list