alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; http_client_body; content:"filename"; nocase; http_client_body; pcre:"/^[^\r\n]*filename\s*=\s*[^\x3b\x3a\r\n]*[\x25\x24]\s*\{[^\r\n]{20,}\}/Pmi"; content:"multipart/form-data"; http_header; nocase; metadata: former_category WEB_SPECIFIC_APPS; reference:url,community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNF-_kcpDUJ; classtype:web-application-attack; sid:2024096; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, deployment Datacenter, signature_severity Major, created_at 2017_03_20, updated_at 2017_03_21;)

Added 2017-08-07 21:19:23 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; http_client_body; content:"filename"; nocase; http_client_body; pcre:"/^[^\r\n]*filename\s*=\s*[^\x3b\x3a\r\n]*[\x25\x24]\s*\{[^\r\n]{20,}\}/Pmi"; content:"multipart/form-data"; http_header; nocase; reference:url,community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNF-_kcpDUJ; classtype:web-application-attack; sid:2024096; rev:3;)

Added 2017-05-05 16:59:01 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; http_client_body; content:"filename"; nocase; http_client_body; pcre:"/^[^\r\n]*filename\s*=\s*[^\x3b\x3a\r\n]*[\x25\x24]\s*\{[^\r\n]{20,}\}/Pmi"; content:"multipart/form-data"; http_header; nocase; metadata: former_category WEB_SPECIFIC_APPS; reference:url,community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNF-_kcpDUJ; classtype:web-application-attack; sid:2024096; rev:3;)

Added 2017-05-03 17:35:44 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; http_client_body; content:"filename"; nocase; http_client_body; pcre:"/^[^\r\n]*filename\s*=\s*[^\x3b\x3a\r\n]*[\x25\x24]\s*\{[^\r\n]{20,}\}/Pmi"; content:"multipart/form-data"; http_header; nocase; reference:url,community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNF-_kcpDUJ; classtype:web-application-attack; sid:2024096; rev:3;)

Added 2017-03-22 18:05:24 UTC


alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; http_client_body; content:"filename"; nocase; http_client_body; pcre:"/^[^\r\n]*filename\s*=\s*[^\x3b\x3a\r\n]*[\x25\x24]\s*\{[^\r\n]{20,}\}/Pmi"; pcre:"/^Content-Length\x3a\x20\d{10,}\r?\n/Hm"; content:"multipart/form-data"; http_header; nocase; reference:url,community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNF-_kcpDUJ; classtype:web-application-attack; sid:2024096; rev:2;)

Added 2017-03-21 17:46:23 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; content:"{"; nocase; content:"}"; content:"java|2e|"; nocase; content:"|2e|ognl"; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]*?\{(?=[^\r\n]*java\.)[^\r\n]*\.ognl[^\r\n]*\}/mi"; classtype:web-application-attack; sid:2024096; rev:1;)

Added 2017-03-20 20:33:41 UTC


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1"; flow:to_server,established; content:"Content-Disposition|3a|"; nocase; content:"{"; nocase; content:"}"; content:"java|2e|"; nocase; content:"|2e|ognl"; fast_pattern:only; pcre:"/^Content-Disposition\x3a[^\r\n]*?\{(?=[^\r\n]*java\.)[^\r\n]*\.ognl[^\r\n]*\}/mi"; classtype:web-application-attack; sid:2024096; rev:1;)

Added 2017-03-20 19:16:56 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats