[Bro] Apache struts exploit detection

Thu Mar 23 05:54:10 PDT 2017

I just wanted to add onto this thread and mention that it appears there is
a new way to exploit CVE-2017-5638 which neither of the prior scripts are
currently looking for.  I've opened #3
<https://github.com/initconf/CVE-2017-5638_struts/issues/3> on Aashish's
repo to provide more details.

Jon

On Tue, Mar 14, 2017 at 1:55 PM Johanna Amann <johanna at icir.org> wrote:

And note that Aashish made it so you can install it using bro-pkg :)

Johanna

On Tue, Mar 14, 2017 at 12:09:52PM -0400, Drew Dixon wrote:
> Deploy this outstanding bro detection script for this vulnerability:
>
> https://github.com/initconf/CVE-2017-5638_struts.git
>
> On Tue, Mar 14, 2017 at 6:08 AM, Zeolla at GMail.com <zeolla at gmail.com>
wrote:
>
> > Here's an example script that will detect CVE-2017-5638 exploit attempts
> > and log the contents of the header.
> >
> > https://github.com/set-element/misc-scripts/blob/
> > master/CVE-2017-5638_struts.bro
> >
> > For future reference the key component is:
> >
> > event http_header(c: connection, is_orig: bool, name: string, value:
> > string) &priority=5
> >
> > {
> >
> > # look if the connection is from offsite and the value is content-type
> >
> >         if ( !Site::is_local_addr(c$id$orig_h) && name == "CONTENT-TYPE"
> > && detection_string in value )
> >
> >         {
> >
> >                 NOTICE([$note=HTTP_StrutsAttack, $src=c$id$orig_h,
> > $msg=fmt("CVE-2017-5638/Struts attack from %s seen: %s", c$id$orig_h,
> > value)]);
> >
> >         }
> >
> > }
> >
> > Please note that this is not my script, it is set-element's.  Depending
on
> > the situation you may want to check the src/dst to add exemptions
> > (vulnerability scanning boxes?), ignore or specifically monitor
> > Site::is_private_addr src/dsts, add $identifier/$suppress_for to the
> > NOTICE, replace $src=... with $conn=c to get more details in the notice
> > log, etc.  All depends on what you want, those are just things I would
do.
> >
> > Jon
> >
> > On Tue, Mar 14, 2017, 3:04 AM John Edwards <jedwards2728 at gmail.com>
wrote:
> >
> >> Hi all
> >>
> >> For the likes of the apache struts web application attack that the
actual
> >> exploit is contained within a web http GET request. Or let's say any
web
> >> app attack that is embedded within the referer field like embedded
> >> JavaScript can bro actually view or log that level of info?
> >>
> >> I can see bro will see things like http user agent fields and get or
post
> >> request but for the actual malicious code embedded further in the
request
> >> I'm assuming isn't captured?
> >>
> >> My ips obviously captures that alert data and I can see the the exploit
> >> but the bro data from the http log I'll only see "GET / HTTP1.1" and
that's
> >> all
> >>
> >> Cheers
> >> John
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> > --
> >
> > Jon
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170323/f3e92977/attachment-0001.html 