[Snort-sigs] CVE-2017-17974 signatures

Y M snort at outlook.com
Thu Jan 4 13:09:38 EST 2018


Hi,


The below signatures are for detecting attempted disclosure of credentials of the affected system. Opted for individual signatures as opposed to using pcre. No pcaps available for this one.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; content:"GET"; http_method; content:"/isc/"; fast_pattern:only; http_uri; content:"get_sid.aspx"; distance:0; http_uri; metadata:ruleset community, service http; reference:cve,2017-17974; reference:url,vuldb.com/?id.111184; reference:url,misteralfa-hack.blogspot.com/2017/12/ba-system-improper-access-control.html; classtype:attempted-user; sid:9000005; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; content:"GET"; http_method; content:"/isc/"; fast_pattern:only; http_uri; content:"get_sid_js.aspx"; distance:0; http_uri; metadata:ruleset community, service http; reference:cve,2017-17974; reference:url,vuldb.com/?id.111184; reference:url,misteralfa-hack.blogspot.com/2017/12/ba-system-improper-access-control.html; classtype:attempted-user; sid:9000006; rev:1;)


Thanks.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180104/f9471bf6/attachment.html>


More information about the Snort-sigs mailing list