[Bro] Apache struts exploit detection
zeolla at gmail.com
Tue Mar 14 03:08:02 PDT 2017
Here's an example script that will detect CVE-2017-5638 exploit attempts
and log the contents of the header.
For future reference the key component is:
event http_header(c: connection, is_orig: bool, name: string, value:
# look if the connection is from offsite and the value is content-type
if ( !Site::is_local_addr(c$id$orig_h) && name == "CONTENT-TYPE" &&
detection_string in value )
$msg=fmt("CVE-2017-5638/Struts attack from %s seen: %s", c$id$orig_h,
Please note that this is not my script, it is set-element's. Depending on
the situation you may want to check the src/dst to add exemptions
(vulnerability scanning boxes?), ignore or specifically monitor
Site::is_private_addr src/dsts, add $identifier/$suppress_for to the
NOTICE, replace $src=... with $conn=c to get more details in the notice
log, etc. All depends on what you want, those are just things I would do.
On Tue, Mar 14, 2017, 3:04 AM John Edwards <jedwards2728 at gmail.com> wrote:
> Hi all
> For the likes of the apache struts web application attack that the actual
> exploit is contained within a web http GET request. Or let's say any web
> app attack that is embedded within the referer field like embedded
> I can see bro will see things like http user agent fields and get or post
> request but for the actual malicious code embedded further in the request
> I'm assuming isn't captured?
> My ips obviously captures that alert data and I can see the the exploit
> but the bro data from the http log I'll only see "GET / HTTP1.1" and that's
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro