[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Fw: CVE-2017-9810, CVE-2017-9812 Signatures
From:       Tyler Montier <tmontier () sourcefire ! com>
Date:       2017-07-31 13:31:23
Message-ID: CACH8kzGAmvcfOH8S3BL3-iRsCEp5rWvPVhR5PBEdZdL3SyOHbQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Yaser,

Thanks for your submission. We will review the rules and get back to you
when they're finished.

Sincerely,

Tyler Montier
Cisco Talos

On Mon, Jul 31, 2017 at 8:29 AM, Y M via Snort-sigs <
snort-sigs@lists.snort.org> wrote:

> Hello,
>
>
> Below two rules are also derived from the references withing the
> signatures. No pcaps available.
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER
> Kaspersky Linux File Server WMC cross site request forgery attempt";
> flow:to_client,established; file_data; content:"/cgi-bin/cgictl?action=setTaskSettings";
> fast_pattern:only; content:"taskId="; nocase; content:"settings=|7B|";
> nocase; metadata:service ftp-data, service http, service imap, service
> pop3; reference:cve,2017-9810; reference:url,www.
> coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-
> Vulnerabilities; classtype:attempted-admin; sid:110002; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER
> Kaspersky Linux File Server WMC path traversal attempt";
> flow:to_server,established; content:"/cgi-bin/cgictl?action=getReportStatus";
> fast_pattern:only; content:"&reportId=../"; distance:0; http_uri; nocase;
> metadata:service ftp-data, service http, service imap, service pop3;
> reference:cve,2017-9812; reference:url,www.coresecurity.com/advisories/
> Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities;
> classtype:attempted-admin; sid:110003; rev:1;)
>
> Thanks.
>
> YM
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>

[Attachment #5 (text/html)]

<div dir="ltr">Yaser,<div><br></div><div>Thanks for your submission. We will review \
the rules and get back to you when they&#39;re \
finished.</div><div><br></div><div>Sincerely,</div><div><br></div><div>Tyler \
Montier</div><div>Cisco Talos</div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Mon, Jul 31, 2017 at 8:29 AM, Y M via Snort-sigs <span \
dir="ltr">&lt;<a href="mailto:snort-sigs@lists.snort.org" \
target="_blank">snort-sigs@lists.snort.org</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">




<div dir="ltr">
<div id="m_-3145743448749999220divtagdefaultwrapper" \
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif" \
dir="ltr"> <p><span style="font-size:11pt;font-family:Calibri,Helvetica,sans-serif">Hello,</span><br>
 </p>
<div style="color:rgb(0,0,0)">
<div>
<div id="m_-3145743448749999220divtagdefaultwrapper" dir="ltr" \
style="font-size:12pt;color:#000000;font-family:Calibri,Helvetica,sans-serif"> \
<p><br> </p>
<p><span style="font-size:11pt">Below two rules are also derived from the references \
withing the signatures. No pcaps available.</span></p> <p><br>
</p>
<p></p>
<div><span style="font-size:10pt;font-family:Consolas,Courier,monospace">alert tcp \
$EXTERNAL_NET any -&gt; $HOME_NET $HTTP_PORTS (msg:&quot;SERVER-OTHER Kaspersky Linux \
File Server WMC cross site request forgery attempt&quot;; flow:to_client,established; \
file_data; content:&quot;/cgi-bin/cgictl?<wbr>action=setTaskSettings&quot;;  \
fast_pattern:only; content:&quot;taskId=&quot;; nocase; \
content:&quot;settings=|7B|&quot;; nocase; metadata:service ftp-data, service http, \
service imap, service pop3; reference:cve,2017-9810; reference:url,<a \
href="http://www.coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities" \
target="_blank">www.<wbr>coresecurity.com/advisories/<wbr>Kaspersky-Anti-Virus-File-<wbr>Server-Multiple-<wbr>Vulnerabilities</a>;
  classtype:attempted-admin; sid:110002; rev:1;)</span></div>
<div><br>
</div>
<div><span style="font-size:10pt;font-family:Consolas,Courier,monospace">alert tcp \
$EXTERNAL_NET any -&gt; $HOME_NET $HTTP_PORTS (msg:&quot;SERVER-OTHER Kaspersky Linux \
File Server WMC path traversal attempt&quot;; flow:to_server,established; \
content:&quot;/cgi-bin/cgictl?<wbr>action=getReportStatus&quot;;  fast_pattern:only; \
content:&quot;&amp;reportId=../&quot;; distance:0; http_uri; nocase; metadata:service \
ftp-data, service http, service imap, service pop3; reference:cve,2017-9812; \
reference:url,<a href="http://www.coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities" \
target="_blank">www.<wbr>coresecurity.com/advisories/<wbr>Kaspersky-Anti-Virus-File-<wbr>Server-Multiple-<wbr>Vulnerabilities</a>;
  classtype:attempted-admin; sid:110003; rev:1;)</span></div>
<br>
<p></p>
<p><span style="font-size:11pt">Thanks.</span></p><span class="HOEnZb"><font \
color="#888888"> <p><span style="font-size:11pt">YM</span></p>
</font></span></div>
</div>
</div>
</div>
</div>

<br>______________________________<wbr>_________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.snort.org">Snort-sigs@lists.snort.org</a><br>
<a href="https://lists.snort.org/mailman/listinfo/snort-sigs" rel="noreferrer" \
target="_blank">https://lists.snort.org/<wbr>mailman/listinfo/snort-sigs</a><br> <br>
<a href="http://www.snort.org" rel="noreferrer" \
target="_blank">http://www.snort.org</a><br> <br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> <br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most &lt;a href=&quot; <a \
href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" \
target="_blank">https://snort.org/downloads/#<wbr>rule-downloads</a>&quot;&gt;emerging \
threats&lt;/a&gt;!<br> <br></blockquote></div><br></div>



_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic