<div dir="ltr">Yaser,<div><br></div><div>Thanks for your submission. we will review the rules and get back to you when they're finished.</div><div><br></div><div>Sincerely,</div><div><br></div><div>Tyler Montier,</div><div>Cisco Talos</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 4, 2018 at 1:09 PM, Y M via Snort-sigs <span dir="ltr"><<a href="mailto:snort-sigs@lists.snort.org" target="_blank">snort-sigs@lists.snort.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">




<div dir="ltr">
<div id="m_8039380957045264354divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif" dir="ltr">
<p style="margin-top:0;margin-bottom:0"><span style="font-size:11pt">Hi,</span></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"><span style="font-size:11pt">The below signatures are for detecting attempted disclosure of credentials of the affected system. Opted for
</span><span style="font-size:11pt">individual signatures as opposed to using pcre. No pcaps
</span><span style="font-size:14.6667px">available</span><span style="font-size:11pt">¬†for this one.</span></p>
<p style="margin-top:0;margin-bottom:0"><br>
</p>
<p style="margin-top:0;margin-bottom:0"></p>
<div><span style="font-size:10pt;font-family:Consolas,Courier,monospace">alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; content:"GET"; http_method;
 content:"/isc/"; fast_pattern:only; http_uri; content:"get_sid.aspx"; distance:0; http_uri; metadata:ruleset community, service http; reference:cve,2017-17974; reference:url,<a href="http://vuldb.com/?id.111184" target="_blank">vuldb.com/?id.<wbr>111184</a>; reference:url,<a href="http://misteralfa-hack.blogspot.com/2017/12/ba-system-improper-access-control.html" target="_blank">misteralfa-hack.<wbr>blogspot.com/2017/12/ba-<wbr>system-improper-access-<wbr>control.html</a>;
 classtype:attempted-user; sid:9000005; rev:1;)</span></div>
<div><span style="font-size:10pt;font-family:Consolas,Courier,monospace"><br>
</span></div>
<div><span style="font-size:10pt;font-family:Consolas,Courier,monospace">alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; content:"GET"; http_method;
 content:"/isc/"; fast_pattern:only; http_uri; content:"get_sid_js.aspx"; distance:0; http_uri; metadata:ruleset community, service http; reference:cve,2017-17974; reference:url,<a href="http://vuldb.com/?id.111184" target="_blank">vuldb.com/?id.<wbr>111184</a>; reference:url,<a href="http://misteralfa-hack.blogspot.com/2017/12/ba-system-improper-access-control.html" target="_blank">misteralfa-hack.<wbr>blogspot.com/2017/12/ba-<wbr>system-improper-access-<wbr>control.html</a>;
 classtype:attempted-user; sid:9000006; rev:1;)</span></div>
<br>
<p></p>
<p style="margin-top:0;margin-bottom:0"><span style="font-size:11pt">Thanks.</span></p><span class="HOEnZb"><font color="#888888">
<p style="margin-top:0;margin-bottom:0"><span style="font-size:11pt">YM</span></p>
</font></span></div>
</div>

<br>______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.snort.org">Snort-sigs@lists.snort.org</a><br>
<a href="https://lists.snort.org/mailman/listinfo/snort-sigs" rel="noreferrer" target="_blank">https://lists.snort.org/<wbr>mailman/listinfo/snort-sigs</a><br>
<br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br>
<br>
Please follow these rules: <a href="https://snort.org/faq/what-is-the-mailing-list-etiquette" rel="noreferrer" target="_blank">https://snort.org/faq/what-is-<wbr>the-mailing-list-etiquette</a><br>
<br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" <a href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>">emerging threats</a>!<br>
<br></blockquote></div><br></div>