[Bro] Apache struts exploit detection

Drew Dixon dwdixon at umich.edu
Tue Mar 14 09:09:52 PDT 2017 

Deploy this outstanding bro detection script for this vulnerability:

https://github.com/initconf/CVE-2017-5638_struts.git

On Tue, Mar 14, 2017 at 6:08 AM, Zeolla at GMail.com <zeolla at gmail.com> wrote:

> Here's an example script that will detect CVE-2017-5638 exploit attempts
> and log the contents of the header.
>
> https://github.com/set-element/misc-scripts/blob/
> master/CVE-2017-5638_struts.bro
>
> For future reference the key component is:
>
> event http_header(c: connection, is_orig: bool, name: string, value:
> string) &priority=5
>
> {
>
> # look if the connection is from offsite and the value is content-type
>
>         if ( !Site::is_local_addr(c$id$orig_h) && name == "CONTENT-TYPE"
> && detection_string in value )
>
>         {
>
>                 NOTICE([$note=HTTP_StrutsAttack, $src=c$id$orig_h,
> $msg=fmt("CVE-2017-5638/Struts attack from %s seen: %s", c$id$orig_h,
> value)]);
>
>         }
>
> }
>
> Please note that this is not my script, it is set-element's.  Depending on
> the situation you may want to check the src/dst to add exemptions
> (vulnerability scanning boxes?), ignore or specifically monitor
> Site::is_private_addr src/dsts, add $identifier/$suppress_for to the
> NOTICE, replace $src=... with $conn=c to get more details in the notice
> log, etc.  All depends on what you want, those are just things I would do.
>
> Jon
>
> On Tue, Mar 14, 2017, 3:04 AM John Edwards <jedwards2728 at gmail.com> wrote:
>
>> Hi all
>>
>> For the likes of the apache struts web application attack that the actual
>> exploit is contained within a web http GET request. Or let's say any web
>> app attack that is embedded within the referer field like embedded
>> JavaScript can bro actually view or log that level of info?
>>
>> I can see bro will see things like http user agent fields and get or post
>> request but for the actual malicious code embedded further in the request
>> I'm assuming isn't captured?
>>
>> My ips obviously captures that alert data and I can see the the exploit
>> but the bro data from the http log I'll only see "GET / HTTP1.1" and that's
>> all
>>
>> Cheers
>> John
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
>
> Jon
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170314/f27075b8/attachment.html

More information about the Bro mailing list