'[Emerging-Sigs] StillSecure: 10 New Signatures - Apr 29th, 2011'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] StillSecure: 10 New Signatures - Apr 29th, 2011
From:       signatures () stillsecure ! com (signatures)
Date:       2011-04-29 8:52:01
Message-ID: 5C9E8CCEEB81ED498AC0C3B0054704F3054C29A8 () webmail ! latis ! com
[Download RAW message or body]

Hi Matt,

Please find the 10 signatures below,

1. WEB-ATTACKS Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow \
Attempt alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS \
Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt"; \
content:"<OBJECT"; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; \
nocase; distance:0; content:"824C4DC5-8DA4-11D6-A01F-00E098177CDC"; nocase; \
distance:0; content:".GetItem1"; nocase; \
pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; \
classtype:web-application-attack; reference:url,exploit-db.com/exploits/17196; \
sid:2204111; rev:1;)  
2. WEB-ATTACKS Gesytec ElonFmt ActiveX Component Format String Function Call
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS Gesytec \
ElonFmt ActiveX Component Format String Function Call"; flow:to_client,established; \
content:"ActiveXObject"; nocase; content:"ELONFMTLib.ElonFmt"; nocase; distance:0; \
content:".GetItem1"; nocase; classtype:attempted-user; \
reference:url,exploit-db.com/exploits/17196; sid:2204112; rev:1;)  
3. WEB-PHP SaurusCMS captcha_image.php script Remote File inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP SaurusCMS \
captcha_image.php script Remote File inclusion Attempt"; flow:established,to_server; \
content:"GET "; depth:4; uricontent:"/extensions/saurus4/captcha_image.php?"; nocase; \
uricontent:"class_path="; nocase; pcre:"/class_path=\s*(ftps?|https?|php)\:\//Ui"; \
classtype:web-application-attack; \
reference:url,packetstormsecurity.org/files/view/100461/sauruscms-rfi.txt; \
sid:2604112; rev:1;)  
4. WEB-MISC Publishing Technology id Parameter Blind SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Publishing \
Technology id Parameter Blind SQL Injection Attempt"; flow:established,to_server; \
content:"GET "; depth:4; uricontent:"/CollectionContent.asp?"; nocase; \
uricontent:"id="; nocase; uricontent:"and"; nocase; uricontent:"substring"; nocase; \
pcre:"/and.*substring\(/Ui"; classtype:web-application-attack; \
reference:url,packetstormsecurity.org/files/view/100822/publishingtechnology-sql.txt; \
sid:2704111; rev:1;)  
5. WEB-PHP phpRS id parameter SELECT FROM SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpRS id \
parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; \
content:"GET "; depth:4; uricontent:"/model-kits.php?"; nocase; uricontent:"akce="; \
nocase; uricontent:"nazev="; nocase; uricontent:"id="; nocase; uricontent:"SELECT"; \
nocase; uricontent:"FROM"; nocase; pcre:"/SELECT.+FROM/Ui"; \
classtype:web-application-attack; \
reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; sid:2504111; \
rev:1;)  
6. WEB-PHP phpRS id parameter DELETE FROM SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpRS id \
parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; \
content:"GET "; depth:4; uricontent:"/model-kits.php?"; nocase; uricontent:"akce="; \
nocase; uricontent:"nazev="; nocase; uricontent:"id="; nocase; uricontent:"DELETE"; \
nocase; uricontent:"FROM"; nocase; pcre:"/DELETE.+FROM/Ui"; \
classtype:web-application-attack; \
reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; sid:2504112; \
rev:1;)  
7. WEB-PHP phpRS id parameter UNION SELECT SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpRS id \
parameter UNION SELECT SQL Injection Attempt"; flow:established,to_server; \
content:"GET "; depth:4; uricontent:"/model-kits.php?"; nocase; uricontent:"akce="; \
nocase; uricontent:"nazev="; nocase; uricontent:"id="; nocase; uricontent:"UNION"; \
nocase; uricontent:"SELECT"; nocase; pcre:"/UNION.+SELECT/Ui"; \
classtype:web-application-attack; \
reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; sid:2504113; \
rev:1;)  
8. WEB-PHP phpRS id parameter INSERT INTO SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpRS id \
parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; \
content:"GET "; depth:4; uricontent:"/model-kits.php?"; nocase; uricontent:"akce="; \
nocase; uricontent:"nazev="; nocase; uricontent:"id="; nocase; uricontent:"INSERT"; \
nocase; uricontent:"INTO"; nocase; pcre:"/INSERT.+INTO/Ui"; \
classtype:web-application-attack; \
reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; sid:2504114; \
rev:1;)  
9. WEB-PHP phpRS id parameter UPDATE SET SQL Injection Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP phpRS id \
parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET \
"; depth:4; uricontent:"/model-kits.php?"; nocase; uricontent:"akce="; nocase; \
uricontent:"nazev="; nocase; uricontent:"id="; nocase; uricontent:"UPDATE"; nocase; \
uricontent:"SET"; nocase; pcre:"/UPDATE.+SET/Ui"; classtype:web-application-attack; \
reference:url,packetstormsecurity.org/files/view/96760/phprsmk-sql.txt; sid:2504115; \
rev:1;)  
10. WEB-PHP OrangeHRM path Parameter Local File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP OrangeHRM path \
Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; \
depth:4; uricontent:"/plugins/PluginController.php?"; nocase; uricontent:"path="; \
nocase; content:"..%2f"; depth:200; classtype:web-application-attack; \
reference:url,packetstormsecurity.org/files/view/100823/OrangeHRM2.6.3-lfi.txt; \
sid:2704112; rev:1;)

Looking forward your comments if any,


Thanks & Regards,
StillSecure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20110429/820e50c6/attachment.html



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic