Montag, 14. Dezember 2015

Ruleset-Update: Jenkins-Exploits, Joomla 0-Day


added some sigs against known exploits for jenkins and wp,
the rules itself might be found here:
http://spike.nginx-goodies.com/rules/

for the latest joomla-vuln + exploit (see
https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html)
you might want to look at 42000343
http://spike.nginx-goodies.com/rules/edit/42000343
that detects generic PHP-Object-Attacks.
i modified this rule to check headers now as well,
updates are pushed to the repo already


MainRule "rx:O:\d+:.*:\d+:{(s|S):\d+:.*;.*}" "msg:possible PHP Object
Injection" "mz:BODY|ARGS|HEADERS" "s:$ATTACK:8" id:42000343  ;


-----------------------------

http://spike.nginx-goodies.com/rules/


[+] new sigs:
  42000443 :: web_apps.rules       :: WordPress XMLRPC Enumeration
system.listMethods
  42000444 :: web_apps.rules       :: WordPress XMLRPC Enumeration
system.getCapabilities
  42000445 :: app_server.rules     :: Possible Jenkins/Hudson RCE-Exploit
  42000446 :: app_server.rules     :: Jenkins User-Credentials-Access (POST)
  42000447 :: app_server.rules     :: Jenkins User-Credentials-Access (GET)
  42000448 :: app_server.rules     :: Possible Jenkins/Hudson RCE-Exploit
  42000449 :: app_server.rules     :: Possible Jenkins/Hudson
RCE-Exploit (/script)


rules are available here: https://bitbucket.org/lazy_dogtown/doxi-rules