Event Type: Attempted User Privilege Gain
Signature: ET EXPLOIT Apache Struts Possible OGNL J ... show moreEvent Type: Attempted User Privilege Gain
Signature: ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI
Severity: high
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; http.uri; content:"java.lang.Runtime@getRuntime().exec("; nocase; classtype:attempted-user; sid:2016953; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;) show less
Web Application Attack
Signature: ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLEN ... show moreWeb Application Attack
Signature: ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1
Severity: high
alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; http.request_body; content:"name["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:4;) show less
Event Type: Web Application Attack
Signature: ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi a ... show moreEvent Type: Web Application Attack
Signature: ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1
Severity: high
Source IP: 46.177.28.199
alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; http.request_body; content:"name["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:4;;) show less
Event Type: A Network Trojan was detected
Signature: ET WEB_SERVER Possible XXE SYSTEM ENTITY ... show moreEvent Type: A Network Trojan was detected
Signature: ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY.
Severity: high
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY."; flow:established,to_server; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; http.request_body; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; classtype:trojan-activity; sid:2018056; rev:4;) show less
Event Type: A Network Trojan was detected
Signature: ET WEB_SERVER WebShell Generic - ASP Fil ... show moreEvent Type: A Network Trojan was detected
Signature: ET WEB_SERVER WebShell Generic - ASP File Uploaded
Severity: high
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ASP File Uploaded"; flow:established,to_server; http.request_body; content:"|0D 0A|"; content:"<%"; within:5; fast_pattern; content:"%>"; distance:0; pcre:"/<%[\x00-\x7f]{20}/"; classtype:trojan-activity; sid:2017260; rev:12;) show less
Event Type: Web Application Attack
Signature: ET WEB_SERVER PHP tags in HTTP POST
Seve ... show moreEvent Type: Web Application Attack
Signature: ET WEB_SERVER PHP tags in HTTP POST
Severity: high
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"<?php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:8;) show less
Event Type: A Network Trojan was detected
Signature: ET WEB_SERVER Possible XXE SYSTEM ENTITY ... show moreEvent Type: A Network Trojan was detected
Signature: ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY.
Severity: high
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible XXE SYSTEM ENTITY in POST BODY."; flow:established,to_server; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; http.request_body; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; classtype:trojan-activity; sid:2018056; rev:4;) show less
Event Type: Web Application Attack
Signature: ET WEB_SERVER Possible Attempt to Get SQL Serve ... show moreEvent Type: Web Application Attack
Signature: ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION
Severity: high
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Attempt to Get SQL Server Version in URI using SELECT VERSION"; flow:established,to_server; http.uri; content:"SELECT"; nocase; content:"VERSION"; nocase; distance:1; reference:url,support.microsoft.com/kb/321185; reference:url,doc.emergingthreats.net/2011037; classtype:web-application-attack; sid:2011037; rev:6;) show less
Event Type: A Network Trojan was detected
Signature: ET WEB_SERVER WebShell Generic - ASP Fil ... show moreEvent Type: A Network Trojan was detected
Signature: ET WEB_SERVER WebShell Generic - ASP File Uploaded
Severity: high
Source IP: 193.92.71.169
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER WebShell Generic - ASP File Uploaded"; flow:established,to_server; http.request_body; content:"|0D 0A|"; content:"<%"; within:5; fast_pattern; content:"%>"; distance:0; pcre:"/<%[\x00-\x7f]{20}/"; classtype:trojan-activity; sid:2017260; rev:12;) show less
Event Type: Web Application Attack
Signature: ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi a ... show moreEvent Type: Web Application Attack
Signature: ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1
Source IP: 89.210.58.156
alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; http.request_body; content:"name["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:4;) show less
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX Invo ... show morealert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/JMXInvokerServlet/"; nocase; reference:cve,CVE-2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:4;) show less
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ... show morealert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; http.uri; content:"java.lang.Runtime@getRuntime().exec("; nocase; classtype:attempted-user; sid:2016953; rev:4;) show less
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/sh In URI Possible Shell ... show morealert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER /bin/sh In URI Possible Shell Command Execution Attempt"; flow:established,to_server; http.uri; classtype:web-application-attack show less
Attempted User Privilege Gain/ Attempted Information Leak. alert http $EXTERNAL_NET any -> $HTTP_SER ... show moreAttempted User Privilege Gain/ Attempted Information Leak. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; http.uri; content:"java.lang.Runtime@getRuntime().exec("; nocase; classtype:attempted-user; sid:2016953; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;) show less
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER allow_url_include PHP config o ... show morealert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER allow_url_include PHP config option in uri"; flow:established,to_server; http.uri; content:"allow_url_include"; fast_pattern; pcre:"/\ballow_url_include\s*?=/"; reference:url,seclists.org/fulldisclosure/2013/Jun/21; classtype:trojan-activity; sid:2016977; rev:5; metadata:created_at 2013_06_06, updated_at 2020_09_18;) show less
172.188.42.124