<div dir="ltr">Rmkml,<div><br></div><div>Thanks for your submission. We will review the rule and get back to you when it's finished.</div><div><br></div><div>Sincerely,</div><div><br></div><div>Tyler Montier</div><div>Cisco Talos</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jun 8, 2017 at 3:35 PM, rmkml <span dir="ltr"><<a href="mailto:rmkml@...4129..." target="_blank">rmkml@...4129...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
Please check a new sig for detecting OTRS Installation Dialog (after auth) attempt:<br>
<br>
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PERL OTRS Installation Dialog (after auth) attempt"; flow:to_server,established; content:"/otrs/<a href="http://index.pl?Action=Installer" rel="noreferrer" target="_blank">index.pl?Action<wbr>=Installer</a>"; nocase; http_uri;<br>
classtype:web-application-acti<wbr>vity; reference:cve,2017-9324; sid:1; rev:1; )<br>
<br>
Don't forget check variables.<br>
<br>
Please send any comments.<br>
<br>
Regards<br>
@Rmkml<br>
<br>
------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world's most<br>
engaging tech sites, Slashdot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br>
______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net" target="_blank">Snort-sigs@...1306...<wbr>et</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/snort-sigs</a><br>
<br>
<a href="http://www.snort.org" rel="noreferrer" target="_blank">http://www.snort.org</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" <a href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" target="_blank">https://snort.org/downloads/#r<wbr>ule-downloads</a>">emerging threats</a>!<br>
</blockquote></div><br></div>