[Emerging-Sigs] Vulnerable Java Version X

Jason Williams jwilliams at emergingthreats.net
Fri Oct 18 12:04:35 HDT 2019


Thanks Fran! Will get these in and updated!

On Fri, Oct 18, 2019 at 3:00 PM Francis Trudeau <trudeauf at gmail.com> wrote:

> Please don't yell at me.
>
> Some of the Java Version sigs are out of date:
>
> Java 7
> 2014297  change 'content:!"211";' to 'content:!"241";'
>
> Java 8
> 2019401  change 'content:!"221";' to 'content:!"231";'
>
> Java 10 is EOL
> 2025518  remove 'content:!"2"; within:1; http_user_agent;'
>
> There's also no coverage for the following:
>
> Java 11 sig:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
> Vulnerable Java Version 11.0.x Detected"; flow:established,to_server;
> content:"Java/11.0."; http_user_agent; content:!"5"; within:1;
> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
> threshold: type limit, count 2, seconds 300, track by_src; metadata:
> former_category POLICY;
> reference:url,
> www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html;
> classtype:bad-unknown; sid:3031; rev:1;)
>
> Java 12 sig:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
> Vulnerable Java Version 12.0.x Detected"; flow:established,to_server;
> content:"Java/12.0."; http_user_agent; content:!"2"; within:1;
> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
> threshold: type limit, count 2, seconds 300, track by_src; metadata:
> former_category POLICY;
> reference:url,
> www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html;
> classtype:bad-unknown; sid:3032; rev:1;)
>
> Java 13 sig:
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
> Vulnerable Java Version 13.0.x Detected"; flow:established,to_server;
> content:"Java/13.0."; http_user_agent; content:!"1"; within:1;
> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
> threshold: type limit, count 2, seconds 300, track by_src; metadata:
> former_category POLICY;
> reference:url,
> www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html;
> classtype:bad-unknown; sid:3033; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20191018/a47ed4e5/attachment.html>


More information about the Emerging-sigs mailing list