[Snort-sigs] CVE-2017-9097 signature

Y M snort at outlook.com
Thu Jan 4 13:12:34 EST 2018


Hi,


The below signature attempts at detecting directory traversal on the affected system. Subsequent attacks use the retrieved credentials to perform rce.


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web industrial OT directory traversal attempt"; flow:to_server,established; content:"POST"; http_method; content:"/cgi-bin/write.cgi"; fast_pattern:only; http_uri; content:"page=/"; http_client_body; content:"&template=../"; distance:0; http_client_body; metadata:ruleset community, service http; reference:cve,2017-9097; reference:url,github.com/ezelf/AntiWeb_testing-Suite/blob/master/LFI/anti-web-v1.py; classtype:attempted-user; sid:9000010; rev:1;)


Thanks.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180104/df9bef46/attachment.html>


More information about the Snort-sigs mailing list