[Bro] Apache struts exploit detection

John Edwards jedwards2728 at gmail.com
Mon Mar 13 23:56:31 PDT 2017


Hi all

For the likes of the apache struts web application attack that the actual
exploit is contained within a web http GET request. Or let's say any web
app attack that is embedded within the referer field like embedded
JavaScript can bro actually view or log that level of info?

I can see bro will see things like http user agent fields and get or post
request but for the actual malicious code embedded further in the request
I'm assuming isn't captured?

My ips obviously captures that alert data and I can see the the exploit but
the bro data from the http log I'll only see "GET / HTTP1.1" and that's all

Cheers
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170314/f60e5b67/attachment.html 


More information about the Bro mailing list