[Snort-sigs] CVE-2017-17974 signatures

Tyler Montier tmontier at sourcefire.com
Mon Jan 8 10:53:16 EST 2018


Yaser,

Thanks for your submission. we will review the rules and get back to you
when they're finished.

Sincerely,

Tyler Montier,
Cisco Talos

On Thu, Jan 4, 2018 at 1:09 PM, Y M via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hi,
>
>
> The below signatures are for detecting attempted disclosure of credentials
> of the affected system. Opted for individual signatures as opposed to
> using pcre. No pcaps available for this one.
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
> BA Systems BAS Web information disclosure attempt";
> flow:to_server,established; content:"GET"; http_method; content:"/isc/";
> fast_pattern:only; http_uri; content:"get_sid.aspx"; distance:0; http_uri;
> metadata:ruleset community, service http; reference:cve,2017-17974;
> reference:url,vuldb.com/?id.111184; reference:url,misteralfa-hack.
> blogspot.com/2017/12/ba-system-improper-access-control.html;
> classtype:attempted-user; sid:9000005; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
> BA Systems BAS Web information disclosure attempt";
> flow:to_server,established; content:"GET"; http_method; content:"/isc/";
> fast_pattern:only; http_uri; content:"get_sid_js.aspx"; distance:0;
> http_uri; metadata:ruleset community, service http;
> reference:cve,2017-17974; reference:url,vuldb.com/?id.111184;
> reference:url,misteralfa-hack.blogspot.com/2017/12/ba-
> system-improper-access-control.html; classtype:attempted-user;
> sid:9000006; rev:1;)
>
> Thanks.
>
> YM
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180108/cf1c6f0d/attachment.html>


More information about the Snort-sigs mailing list