[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Understanding SNORT ID 47649
From: Alex McDonnell <amcdonnell () sourcefire ! com>
Date: 2019-04-03 19:17:33
Message-ID: CAK6Z=_XPAkXxeNE_EaynJR0mXE5dE922FNWBD+qmpzX2Z9mH_g () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Real quick:
content:"|23|_memberAccess"; fast_pattern:only; http_uri:; <- this content
is looking for @_memberAccess, an ognl command, in the URI field of HTTP
traffic.
content:"ognl."; http_uri:; <- this content looks for the first part of an
ognl command in the URI
pcre:"/ognl\x2e(OgnlContext|ClassResolver|TypeConverter|MemberAccess)/Ui";
<- this PCRE looks for the same ognl string followed by some common
commands usch as ognl.OgnlContext. Again in the URI.
This rule is attempting to detect the exploitation of the vuln referenced
in the rule and pointed out in the previous email by Waldo Kitty. The
network traffic you included resembles that found in exploitation traffic,
specifically one investigated at
http://www.voidcn.com/article/p-fhhxkdhd-zw.html (in chinese, needs
translation)
If you are using Cisco Firepower you may want to open a Support/TAC case to
see if there's a need to take remediation steps.
Thanks
Alex McDonnell
Cisco Talos
On Wed, Apr 3, 2019 at 2:47 PM wkitty42--- via Snort-sigs <
snort-sigs@lists.snort.org> wrote:
> On 4/1/19 1:52 PM, Migell Roberts wrote:
> > reference:cve,2018-11776;
> >
> > reference:url,cwiki.apache.org/confluence/display/WW/S2-057;
>
>
>
> see those two reference lines above? look up the CVE and visit the cwiki
> site
> link...
>
> aside from that, looking at the rule will tell you what the matches are
> for the
> rule... if the traffic made it to your server, the server logs should tell
> you
> exactly what was being looked for...
>
> the only other thing i can think of is to look at the
> snort.log.xxxxxxxxxxxx
> file containing the pcap of the traffic... the pcap will tell you what the
> server cannot if the traffic didn't make it that far...
>
>
> --
> NOTE: No off-list assistance is given without prior approval.
> *Please keep mailing list traffic on the list unless*
> *a signed and pre-paid contract is in effect with us.*
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules:
> https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
[Attachment #5 (text/html)]
<div dir="ltr">Real quick:<div><br></div><div><p \
class="MsoNormal">content:"|23|_memberAccess";<u> </u>fast_pattern:only; \
http_uri:; <- this content is looking for @_memberAccess, an ognl command, in the \
URI field of HTTP traffic.</p><p class="MsoNormal"><u></u></p><p \
class="MsoNormal">content:"ognl.";<u> </u>http_uri:; <- this content \
looks for the first part of an ognl command in the URI</p><p class="MsoNormal"> \
pcre:"/ognl\x2e(OgnlContext|ClassResolver|TypeConverter|MemberAccess)/Ui"; \
<- this PCRE looks for the same ognl string followed by some common commands usch \
as ognl.OgnlContext. Again in the URI.<br></p><p class="MsoNormal"><br></p><p \
class="MsoNormal">This rule is attempting to detect the exploitation of the vuln \
referenced in the rule and pointed out in the previous email by Waldo Kitty. The \
network traffic you included resembles that found in exploitation traffic, \
specifically one investigated at <a \
href="http://www.voidcn.com/article/p-fhhxkdhd-zw.html">http://www.voidcn.com/article/p-fhhxkdhd-zw.html</a> \
(in chinese, needs translation)</p><p class="MsoNormal"><br></p><p \
class="MsoNormal">If you are using Cisco Firepower you may want to open a Support/TAC \
case to see if there's a need to take remediation steps.</p><p \
class="MsoNormal"><br></p><p class="MsoNormal">Thanks</p><p class="MsoNormal">Alex \
McDonnell</p><p class="MsoNormal">Cisco Talos </p></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 3, 2019 at 2:47 PM \
wkitty42--- via Snort-sigs <<a \
href="mailto:snort-sigs@lists.snort.org">snort-sigs@lists.snort.org</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 4/1/19 1:52 PM, \
Migell Roberts wrote:<br> > reference:cve,2018-11776;<br>
> <br>
> reference:url,<a href="http://cwiki.apache.org/confluence/display/WW/S2-057" \
rel="noreferrer" target="_blank">cwiki.apache.org/confluence/display/WW/S2-057</a>; \
<br> <br>
<br>
<br>
see those two reference lines above? look up the CVE and visit the cwiki site <br>
link...<br>
<br>
aside from that, looking at the rule will tell you what the matches are for the <br>
rule... if the traffic made it to your server, the server logs should tell you <br>
exactly what was being looked for...<br>
<br>
the only other thing i can think of is to look at the snort.log.xxxxxxxxxxxx <br>
file containing the pcap of the traffic... the pcap will tell you what the <br>
server cannot if the traffic didn't make it that far...<br>
<br>
<br>
-- <br>
NOTE: No off-list assistance is given without prior approval.<br>
*Please keep mailing list traffic on the list unless*<br>
*a signed and pre-paid contract is in effect with us.*<br>
_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.snort.org" \
target="_blank">Snort-sigs@lists.snort.org</a><br> <a \
href="https://lists.snort.org/mailman/listinfo/snort-sigs" rel="noreferrer" \
target="_blank">https://lists.snort.org/mailman/listinfo/snort-sigs</a><br> <br>
Please visit <a href="http://blog.snort.org" rel="noreferrer" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> <br>
Please follow these rules: <a \
href="https://snort.org/faq/what-is-the-mailing-list-etiquette" rel="noreferrer" \
target="_blank">https://snort.org/faq/what-is-the-mailing-list-etiquette</a><br> <br>
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" <a \
href="https://snort.org/downloads/#rule-downloads" rel="noreferrer" \
target="_blank">https://snort.org/downloads/#rule-downloads</a>">emerging \
threats</a>!<br> </blockquote></div>
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs
Please visit http://blog.snort.org for the latest news about Snort!
Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up \
to date to catch the most <a href=" \
https://snort.org/downloads/#rule-downloads">emerging threats</a>!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic