[Emerging-Sigs] StillSecure: 10 New Signatures - 7th Dec 2012

signatures at stillsecure.com signatures at stillsecure.com
Sun Dec 9 17:24:54 HAST 2012


Most welcome.  Thanks for the feedback.



*StillSecure*
Security Research Team


O 303.381.3864 F 303.381.3881
*The information transmitted is intended only for the person to whom it is
addressed and may contain confidential material.
Review or other use of this information by persons other than the intended
recipient is prohibited. If you've received
this in error, please contact the sender and delete from any computer.*



*From:* Will Metcalf [mailto:wmetcalf at emergingthreatspro.com]
*Sent:* Friday, December 07, 2012 4:55 PM
*To:* signatures at stillsecure.com
*Cc:* emerging-sigs at emergingthreats.net
*Subject:* Re: [Emerging-Sigs] StillSecure: 10 New Signatures - 7th Dec 2012



Thanks and welcome back!  All posted with some minor modifications to the
pcre's, removed nocase from dir traversal, added some fast_pattern's for
the appropriate platforms etc.

Regards,

Will

On Fri, Dec 7, 2012 at 1:20 AM, <signatures at stillsecure.com> wrote:

Hi Matt,

Please find 10 New Signatures below:

1. ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File
Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File
Inclusion Attempt"; flow:established,to_server;
content:"/admin/admin_header.php?"; nocase; http_uri;
content:"root_folder_path="; nocase; http_uri;
pcre:"/root\_folder\_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,
packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html;
classtype:web-application-attack; sid:13753; rev:1;)

2. ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote
File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File
Inclusion Attempt"; flow:established,to_server;
content:"/includes/ajax_list_tree.php?"; nocase; http_uri;
content:"root_folder_path="; nocase; http_uri;
pcre:"/root\_folder\_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,
packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html;
classtype:web-application-attack; sid:13754; rev:1;)

3. ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote
File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File
Inclusion Attempt"; flow:established,to_server;
content:"/includes/previews_functions.php?"; nocase; http_uri;
content:"root_folder_path="; nocase; http_uri;
pcre:"/root\_folder\_path=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,
packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html;
classtype:web-application-attack; sid:13755; rev:1;)

4. ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion
Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion
Vulnerability"; flow:established,to_server; content:"/dispatch.php?";
nocase; http_uri; content:"atkaction=search"; nocase; http_uri;
content:"atknodetype="; nocase; http_uri; content:"|2e 2e 2f|"; nocase;
depth:200; reference:url,
packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html;
classtype:web-application-attack; sid:13756; rev:1;)

5. ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File
Inclusion Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File
Inclusion Vulnerability"; flow:established,to_server; content:"GET";
nocase; http_method; content:"/tests/test_tools/functional_tests.php?";
nocase; http_uri; content:"sr="; nocase; http_uri; content:"|2e 2e 2f|";
nocase; depth:200; reference:url,
packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html;
classtype:web-application-attack; sid:13757; rev:1;)

6. ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File
Inclusion Vulnerability
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion
Vulnerability"; flow:established,to_server; content:"GET"; nocase;
http_method; content:"/demos/time-tracker/tests/functional.php?"; nocase;
http_uri; content:"sr="; nocase; http_uri; content:"|2e 2e 2f|"; nocase;
depth:200; reference:url,
packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html;
classtype:web-application-attack; sid:13758; rev:1;)

7. ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting
Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting
Attempt"; flow:established,to_server; content:"/consulta_fact.php?";
nocase; http_uri; content:"fact_num="; nocase; http_uri;
pcre:"/fact_num\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui";
reference:url,
packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13759; rev:1;)

8. ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting
Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting
Attempt"; flow:established,to_server; content:"/newinventario.php?";
nocase; http_uri; content:"sn="; nocase; http_uri;
pcre:"/sn\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui";
reference:url,
packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13760; rev:1;)

9. ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting
Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt";
flow:established,to_server; content:"/newtransact.php?"; nocase; http_uri;
content:"ref="; nocase; http_uri;
pcre:"/ref\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui";
reference:url,
packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html;
classtype:web-application-attack; sid:13761; rev:1;)

10. ET WEB_SPECIFIC_APPS Nagios XI Network Monitor host parameter OS
command injection attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET
WEB_SPECIFIC_APPS Nagios XI Network Monitor host parameter OS command
injection attempt"; flow:established,to_server;
content:"/includes/components/graphexplorer/visApi.php?"; nocase; http_uri;
content:"type="; nocase; http_uri; content:"host="; nocase; http_uri;
pcre:"/host\x3d.+cat.+\/.+/Ui"; reference:url,
packetstormsecurity.org/files/118497/Nagios-XI-Network-Monitor-2011R1.9-OS-Command-Injection.html;
classtype:web-application-attack; sid:13762; rev:1;)

Looking forward for your comments if any.

Thanks & Regards,
StillSecure

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through
Current!



--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121209/920345c6/attachment-0001.html>


More information about the Emerging-sigs mailing list