<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif;" dir="ltr">
<p style="margin-top:0;margin-bottom:0"><span style="font-size: 11pt;">Hi,</span></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"><span style="font-size: 11pt;">The below signatures are for detecting attempted disclosure of credentials of the affected system. Opted for
</span><span style="font-size: 11pt;">individual signatures as opposed to using pcre. No pcaps
</span><span style="font-size: 14.6667px;">available</span><span style="font-size: 11pt;"> for this one.</span></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"></p>
<div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; content:"GET"; http_method;
 content:"/isc/"; fast_pattern:only; http_uri; content:"get_sid.aspx"; distance:0; http_uri; metadata:ruleset community, service http; reference:cve,2017-17974; reference:url,vuldb.com/?id.111184; reference:url,misteralfa-hack.blogspot.com/2017/12/ba-system-improper-access-control.html;
 classtype:attempted-user; sid:9000005; rev:1;)</span></div>
<div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;"><br>
</span></div>
<div><span style="font-size: 10pt; font-family: Consolas, Courier, monospace;">alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; content:"GET"; http_method;
 content:"/isc/"; fast_pattern:only; http_uri; content:"get_sid_js.aspx"; distance:0; http_uri; metadata:ruleset community, service http; reference:cve,2017-17974; reference:url,vuldb.com/?id.111184; reference:url,misteralfa-hack.blogspot.com/2017/12/ba-system-improper-access-control.html;
 classtype:attempted-user; sid:9000006; rev:1;)</span></div>
<br>
<p></p>
<p style="margin-top:0;margin-bottom:0"><span style="font-size: 11pt;">Thanks.</span></p>
<p style="margin-top:0;margin-bottom:0"><span style="font-size: 11pt;">YM</span></p>
</div>
</body>
</html>