Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Updated Twiki Snort Sig SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updated Twiki Snort Sig

This is an update to a snort sig that we posted earlier for the recently announced TWiki vulnerability that allows for remote code execution:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\
"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; \
uricontent:"/TWikiUsers?"; nocase; pcre:"/rev=\d*[^\d\&\n]/Ui"; \
classtype:web-application-activity; reference:url,secunia.com/\
advisories/16820/; sid:2002366; rev:3;)

Note: This is a single line that has been broken to allow for better formatting in the diary.  The "\" characters at the end of the lines above show where the line breaks have been added.  Many thanks to Joe Esler, Chas Tomlin, Jason Brvenik, and Frank Knobbe and all the folks from Bleeding Edge (you guys rock!).

Tom

160 Posts
ISC Handler
Sep 19th 2005

Sign Up for Free or Log In to start participating in the conversation!