[Emerging-Sigs] Vulnerable Java Version X

Francis Trudeau trudeauf at gmail.com
Mon Oct 21 12:35:16 HDT 2019


It appears that 2028867 "ET POLICY Vulnerable Java Version 11.0.x
Detected" didn't get a threshold.

This one is my fault, msg is wrong here:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
Vulnerable Java Version 12.0.x Detected"; flow:established,to_server;
content:"Java/13.0."; http_user_agent; content:!"1"; within:1;
http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
threshold: type limit, count 2, seconds 300, track by_src;
reference:url,www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html;
classtype:bad-unknown; sid:2028869; rev:2; metadata:affected_product
Java, attack_target Client_Endpoint, deployment Perimeter,
signature_severity Informational, created_at 2019_10_18, updated_at
2019_10_18;)

On Fri, Oct 18, 2019 at 3:04 PM Jason Williams
<jwilliams at emergingthreats.net> wrote:
>
> Thanks Fran! Will get these in and updated!
>
> On Fri, Oct 18, 2019 at 3:00 PM Francis Trudeau <trudeauf at gmail.com> wrote:
>>
>> Please don't yell at me.
>>
>> Some of the Java Version sigs are out of date:
>>
>> Java 7
>> 2014297  change 'content:!"211";' to 'content:!"241";'
>>
>> Java 8
>> 2019401  change 'content:!"221";' to 'content:!"231";'
>>
>> Java 10 is EOL
>> 2025518  remove 'content:!"2"; within:1; http_user_agent;'
>>
>> There's also no coverage for the following:
>>
>> Java 11 sig:
>>
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
>> Vulnerable Java Version 11.0.x Detected"; flow:established,to_server;
>> content:"Java/11.0."; http_user_agent; content:!"5"; within:1;
>> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
>> threshold: type limit, count 2, seconds 300, track by_src; metadata:
>> former_category POLICY;
>> reference:url,www.oracle.com/technetwork/java/javase/11u-relnotes-5093844.html;
>> classtype:bad-unknown; sid:3031; rev:1;)
>>
>> Java 12 sig:
>>
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
>> Vulnerable Java Version 12.0.x Detected"; flow:established,to_server;
>> content:"Java/12.0."; http_user_agent; content:!"2"; within:1;
>> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
>> threshold: type limit, count 2, seconds 300, track by_src; metadata:
>> former_category POLICY;
>> reference:url,www.oracle.com/technetwork/java/javase/12u-relnotes-5211424.html;
>> classtype:bad-unknown; sid:3032; rev:1;)
>>
>> Java 13 sig:
>>
>> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY
>> Vulnerable Java Version 13.0.x Detected"; flow:established,to_server;
>> content:"Java/13.0."; http_user_agent; content:!"1"; within:1;
>> http_user_agent; flowbits:set,ET.http.javaclient.vulnerable;
>> threshold: type limit, count 2, seconds 300, track by_src; metadata:
>> former_category POLICY;
>> reference:url,www.oracle.com/technetwork/java/javase/13u-relnotes-5461742.html;
>> classtype:bad-unknown; sid:3033; rev:1;)
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>>


More information about the Emerging-sigs mailing list