snort2-docker/docker/etc/rules/server-apache.rules
2020-02-24 08:56:30 -05:00

172 lines
69 KiB
Plaintext

# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
#
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
#
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#---------------------
# SERVER-APACHE RULES
#---------------------
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache HTTP Server possible OPTIONS method memory leak attempt"; flow:to_server,established,only_stream; content:"OPTIONS"; fast_pattern:only; content:"OPTIONS"; http_method; detection_filter:track by_src,count 20,seconds 60; metadata:service http; reference:bugtraq,100872; reference:cve,2017-9798; reference:url,blog.fuzzing-project.org/60-Optionsbleed-HTTP-OPTIONS-method-can-leak-Apaches-server-memory.html; classtype:attempted-user; sid:44434; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_rpaf X-Forwarded-For header denial of service attempt"; flow:to_server,established; content:"X-Forwarded-For|3A| "; fast_pattern:only; http_header; pcre:"/X-Forwarded-For\x3A\s+(?!(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))[^\s]+[\r\n]/Hi"; metadata:service http; reference:cve,2012-3526; classtype:web-application-attack; sid:24348; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE HP Operations Dashboard Apache Tomcat default admin account access attempt"; flow:to_server,established; content:"/manager/"; fast_pattern:only; http_uri; content:"Authorization: Basic"; nocase; http_header; content:"ajJkZXBsb3llcjpqMmRlcGxveWVy"; distance:0; metadata:service http; reference:bugtraq,36258; reference:cve,2009-3098; reference:cve,2009-4188; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-admin; sid:24306; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache WebDAV mod_dav nested entity reference DoS attempt"; flow:to_server,established; content:"PROPFIND"; http_method; content:"<?xml"; depth:200; nocase; content:"<!DOCTYPE"; distance:0; nocase; content:"["; within:50; content:"<!ENTITY"; distance:0; nocase; content:!"]"; within:500; content:"<REMOTE"; distance:0; nocase; pcre:"/^>.*?&x\d+\x3B.*?<\/REMOTE>/smiR"; metadata:service http; reference:bugtraq,35253; reference:cve,2009-1955; classtype:attempted-dos; sid:23779; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt - POST parameter"; flow:to_server,established; content:".action"; fast_pattern:only; http_uri; content:"new"; nocase; http_client_body; pcre:"/new(\s|%20)+(java|org)/iP"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0391; reference:cve,2016-3081; reference:url,issues.apache.org/jira/browse/WW-3668; reference:url,struts.apache.org/docs/s2-032.html; classtype:attempted-admin; sid:23631; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-APACHE Apache Tomcat PUT request remote file deployment attempt"; flow:to_server,established; content:"PUT"; http_method; content:"manager|2F|deploy|3F|path|3D|"; fast_pattern:only; content:"Authorization|3A| Basic"; nocase; http_header; base64_decode:relative; base64_data; pcre:"/^(password|admin|tomcat)\x3a(password|admin|tomcat)/iR"; metadata:service http; reference:url,seclists.org/fulldisclosure/2012/Mar/188; classtype:attempted-user; sid:21923; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt - GET parameter"; flow:to_server,established; content:".action?"; nocase; http_uri; content:"@java.lang."; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0391; reference:cve,2016-3081; reference:url,issues.apache.org/jira/browse/WW-3668; reference:url,struts.apache.org/docs/s2-032.html; classtype:attempted-admin; sid:21656; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat Web Application Manager access"; flow:to_server,established; content:"/manager/html"; nocase; http_uri; metadata:service http; reference:url,tomcat.apache.org/tomcat-5.5-doc/manager-howto.html#Introduction; classtype:attempted-recon; sid:21515; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache URI directory traversal attempt"; flow:to_server,established; content:"cgi-bin"; nocase; http_raw_uri; content:"|2E 2E 25|5c"; nocase; http_raw_uri; content:"|2E 2E 25|5c"; fast_pattern; nocase; metadata:service http; reference:bugtraq,5434; reference:cve,2002-0661; classtype:attempted-recon; sid:21356; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache XML HMAC truncation authentication bypass attempt"; flow:to_server,established; content:"<?xml"; nocase; http_client_body; content:"HMACOutputLength"; distance:0; fast_pattern; nocase; http_client_body; content:">"; within:10; http_client_body; pcre:!"/<\s*ds\:\s*HMACOutputLength\s*>\s*\d{10}\s*<\s*\/\s*ds\:HMACOutputLength\s*>/Pims"; metadata:service http; reference:bugtraq,35671; reference:cve,2009-0217; classtype:attempted-user; sid:21337; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt - DebuggingInterceptor"; flow:to_server,established; content:".action?"; nocase; http_uri; content:"debug=command"; distance:0; nocase; http_uri; content:"expression="; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:cve,2012-0394; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-admin; sid:21075; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache APR header memory corruption attempt"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|0A|Host:"; nocase; http_header; isdataat:256; content:!"|0A|"; within:256; http_header; metadata:service http; reference:bugtraq,7723; reference:cve,2003-0245; classtype:attempted-admin; sid:20821; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat Java AJP connector invalid header timeout DOS attempt"; flow:to_server,established; content:"localhost:x"; nocase; http_header; metadata:service http; reference:bugtraq,35193; reference:cve,2009-0033; classtype:attempted-dos; sid:20612; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache APR apr_fn match infinite loop denial of service attempt"; flow:to_server,established; content:"P=*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?*?"; fast_pattern:only; metadata:service http; reference:cve,2011-0419; reference:url,issues.apache.org/bugzilla/show_bug.cgi?id=51219; classtype:attempted-dos; sid:19709; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts OGNL parameter interception bypass command execution attempt"; flow:to_server,established; content:"xwork.MethodAccessor.denyMethodExecution"; nocase; http_uri; content:"u0023"; nocase; http_uri; metadata:service http; reference:bugtraq,41592; reference:cve,2010-1870; classtype:attempted-admin; sid:18931; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Oracle WebLogic Apache Connector buffer overflow attempt"; flow:to_server,established; content:"POST"; http_method; content:"xxxxxxxxxxxxxxxxxxxx"; depth:100; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30273; reference:cve,2008-3257; reference:url,www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html; classtype:attempted-admin; sid:18283; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat username enumeration attempt"; flow:to_server,established; content:"j_username="; nocase; content:"j_password=%"; nocase; metadata:service http; reference:bugtraq,35196; reference:cve,2009-0580; classtype:attempted-recon; sid:18096; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"%2E%2E/"; fast_pattern:only; content:"%2E%2E/"; http_raw_uri; pcre:"/\/(\\|%5C)%2E%2E\//"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17502; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/%2E%2E"; fast_pattern:only; content:"/%2E%2E"; http_raw_uri; pcre:"/\/%2E%2E(\\|%5C)\//"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17501; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/..%5C/"; fast_pattern:only; content:"/..%5C/"; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17500; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/..|5C|/"; fast_pattern:only; content:"/..|5C|/"; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17499; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-APACHE Apache Tomcat UNIX platform directory traversal"; flow:to_server,established; content:"/|5C|../"; fast_pattern:only; content:"/|5C|../"; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22960; reference:cve,2007-0450; reference:url,tomcat.apache.org/tomcat-6.0-doc/changelog.html; classtype:web-application-attack; sid:17498; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache 413 error HTTP request method cross-site scripting attack"; flow:to_server,established; content:"<PROCHECKUP>"; depth:12; nocase; metadata:service http; reference:bugtraq,26663; reference:cve,2007-6203; classtype:web-application-attack; sid:16611; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt"; flow:to_server,established; content:"Proxy-Connection|3A| Keep-Alive|0D 0A|Okytuasd|3A| AAAA"; http_header; metadata:policy security-ips drop, service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:16480; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt - public shell code"; flow:to_server,established; content:"1|C0|1|C9|d|8B|q0|8B|v|0C 8B|v|1C 8B|V|08 8B|~ |8B|6f9O|14|u|F2|f|B9 01|mf|81 E9 94|lf9|0F|f|89 C1|u|E1 89 E5 EB|q`|8B|l|24 24 8B|E<|8B|T|05|x|01 EA 8B|J|18 8B|Z |01 EB E3|4I|8B|4|8B 01 EE|1|FF|1|C0 FC AC 84 C0|t|07 C1 CF 0D 01 C7 EB F4 3B 7C 24 28|u|E1 8B|Z|24 01 EB|f|8B 0C|K|8B|Z|1C 01 EB 8B 04 8B 01 E8 89|D|24 1C|a|C3 AD|PR|E8 AA FF FF FF 89 07|f|81 C4 0C 01|f|81 EC 04 01|f|81 C7 08 01|f|81 EF 04 01|9|CE|u|DE C3 EB 10|^|8D|}|04 89 F1 80 C1 0C E8 CD FF FF FF EB 3B E8 EB FF FF FF|n|7C|.|E1 1E|<?|D7|t|1E|H|CD|1|D2|X|88|P|07 EB|/1|D2|Y|88|Q|01 EB|.QP|FF|U|04 EB|,1|D2|Y|88|Q|09 EB|3QP|89 C6 FF|U|08|S|FF|U|0C E8 D1 FF FF FF|sos.txtN|E8 CC FF FF FF|wN|E8 CD FF FF FF E8 CF FF FF FF|pwn-isapiN|E8 C8 FF FF FF 90 90 90 90|"; metadata:impact_flag red, policy security-ips drop, service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:16479; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_auth_pgsql module logging facility format string exploit attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Basic"; within:20; nocase; content:"dGVzdCVuJW4lbjpmb29iYXI="; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,16153; reference:cve,2005-3656; classtype:attempted-user; sid:16198; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_ssl hook functions format string attempt"; flow:to_server,established; content:"https"; nocase; http_uri; pcre:"/^[a-z]+\s+https\x3a\x2f\x2f[^\x2f\x3a\x25\s]*\x25[sn]/i"; metadata:service http; reference:bugtraq,10736; reference:cve,2004-0700; classtype:attempted-user; sid:15980; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-APACHE Apache Tomcat WebDAV system tag remote file disclosure attempt"; flow:established,to_server; content:"<!ENTITY RemoteX SYSTEM"; nocase; reference:bugtraq,26070; reference:cve,2007-5461; reference:url,issues.apache.org/jira/browse/GERONIMO-3549; classtype:successful-recon-limited; sid:12711; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache APR memory corruption attempt"; flow:to_server,established; content:"PROPFIND"; nocase; http_method; content:"propfind xmlns|3A|"; nocase; isdataat:514,relative; pcre:"/propfind xmlns\x3A[^\x3D]*\x3d\x22[^\x22]{512}/smi"; metadata:service http; reference:bugtraq,7723; reference:cve,2003-0245; classtype:attempted-admin; sid:12465; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache header parsing space saturation denial of service attempt"; flow:to_server,established; content:"HTTP/1."; pcre:"/HTTP\/1\.[01][\n\r].*?[\x20\t]{200}/si"; metadata:service http; reference:cve,2004-0942; classtype:attempted-dos; sid:11273; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache newline exploit attempt"; flow:to_server,established; content:"|0D 0A 0D 0A|"; pcre:"/(\x0d\x0a){100}/"; metadata:service http; reference:bugtraq,7254; reference:cve,2003-0132; classtype:web-application-attack; sid:11272; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-APACHE Apache mod_ssl non-SSL connection to SSL port denial of service attempt"; flow:to_server,established; content:"HTTP/"; fast_pattern:only; pcre:"/^(GET|POST|PUT|HEAD)/mi"; metadata:service ssl; reference:bugtraq,16152; reference:cve,2005-3357; reference:cve,2017-3169; classtype:attempted-dos; sid:11263; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache malformed ipv6 uri overflow attempt"; flow:to_server,established; content:"://["; http_raw_uri; pcre:"/\x3a\x2f{2}(.*@)?\x5b(\s*$|[\x2F\x3F\x23]+.*|\x3a[^\x3a\x5d]*[\x2F\x3F\x23]?)+/I"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,11187; reference:cve,2004-0786; classtype:web-application-attack; sid:5715; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat null byte directory listing attempt"; flow:to_server,established; content:"|00|.jsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; reference:nessus,11438; classtype:web-application-attack; sid:2061; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat SnoopServlet servlet access"; flow:to_server,established; content:"/examples/servlet/SnoopServlet"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4575; reference:cve,2002-2006; reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat TroubleShooter servlet access"; flow:to_server,established; content:"/examples/servlet/TroubleShooter"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4575; reference:cve,2002-2006; reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat servlet mapping cross site scripting attempt"; flow:to_server,established; content:"/servlet/"; http_uri; content:"/org.apache."; http_uri; metadata:ruleset community, service http; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:1827; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"X-CCCCCCC|3A 20|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:web-application-attack; sid:1809; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat server snoop access"; flow:to_server,established; content:"/jsp/snp/"; http_uri; content:".snp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1532; reference:cve,2000-0760; reference:nessus,10478; classtype:attempted-recon; sid:1108; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat view source attempt"; flow:to_server,established; content:"%252ejsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:16;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; content:".action?redirect|3A|"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:27244; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 blacklisted method redirectAction"; flow:to_server,established; content:".action?redirectAction|3A|"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:27243; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts arbitrary OGNL remote code execution attempt"; flow:to_server,established; content:".action?"; nocase; http_uri; content:"=${{"; distance:0; http_uri; content:"=$%7B%25%7B"; nocase; http_raw_uri; pcre:"/\.action\?[^\x2f]+?=\x24\{\{[^\x2f{}]+?\}\}$/miU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,60345; reference:cve,2013-2135; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-admin; sid:27575; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt"; flow:to_server,established; content:"(@java.lang.Runtime@getRuntime()).exec("; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,60345; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2013-2135; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-admin; sid:27574; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt"; flow:to_server,established; content:"/{#"; http_uri; content:"}"; distance:0; http_uri; content:"/%25%7B"; nocase; http_raw_uri; pcre:"/\x2f\{\x23[^\x2f{}]+?\}(\.action)?\x2f?$/miU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,60346; reference:cve,2013-2134; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-admin; sid:27573; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt"; flow:to_server,established; content:"/${#"; http_uri; content:"}"; distance:0; http_uri; pcre:"/\x2f\x24\{\x23[^\x2f{}]+?\}(\.action)?\x2f?$/miU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,60346; reference:cve,2013-2134; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-admin; sid:27572; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Oracle WebLogic Apache Connector buffer overflow attempt"; flow:to_server,established; content:"POST"; http_method; content:"/weblogic/index.jsp"; http_uri; isdataat:3500,relative; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30273; reference:cve,2008-3257; reference:url,www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html; classtype:attempted-admin; sid:29523; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt"; flow:to_server,established; content:"%25%7B"; fast_pattern:only; content:"%25%7B"; nocase; http_raw_uri; content:"{"; http_uri; content:"}"; within:25; http_uri; pcre:"/%25%7B[^\x2f\x5c]+?%7D/Ii"; metadata:service http; reference:bugtraq,60346; reference:cve,2013-2134; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-admin; sid:29592; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt"; flow:to_server,established; content:"${"; http_uri; content:"}"; distance:0; http_uri; pcre:"/\x24\{[^\x2f{}]+?\}/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; classtype:attempted-admin; sid:29639; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat infinite loop denial of service attempt"; flow:to_server,established; content:"Content-type|3A 20|multipart"; nocase; http_raw_header; content:"boundary|3D|"; within:50; nocase; http_raw_header; isdataat:4092,relative; content:!"|0A|"; within:4092; http_raw_header; metadata:service http; reference:cve,2014-0050; classtype:denial-of-service; sid:29896; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt - CookieInterceptor"; flow:to_server,established; content:".action"; fast_pattern:only; http_uri; content:"Cookie|3A|"; http_header; pcre:"/\x5cu0020[^\x3D]+?\x5cu0020[^\x3D]*?\x3D/C"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,51257; reference:cve,2012-0392; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-admin; sid:29936; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Solr SolrResourceLoader directory traversal attempt"; flow:to_server,established; content:"/solr/select"; fast_pattern:only; http_uri; content:"tr="; nocase; http_uri; content:"../"; distance:0; http_uri; pcre:"/[?&]tr=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:bugtraq,63935; reference:cve,2013-6397; reference:url,issues.apache.org/jira/browse/SOLR-4882; classtype:attempted-admin; sid:30010; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts ParametersInterceptor classloader access attempt"; flow:to_server,established; content:"class["; nocase; http_uri; content:"ClassLoader"; distance:0; fast_pattern; nocase; http_uri; pcre:"/class\x5b\s*?[\x22\x27]ClassLoader[\x22\x27]\s*?\x5d/Ui"; metadata:service http; reference:cve,2014-0112; reference:url,cwiki.apache.org/confluence/display/WW/S2-021; classtype:attempted-admin; sid:30793; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts ParametersInterceptor classloader access attempt"; flow:to_server,established; content:"class.ClassLoader."; fast_pattern:only; http_uri; pcre:"/class\x2eClassLoader\x2e[^&]+?=/Ui"; metadata:service http; reference:bugtraq,65999; reference:cve,2014-0094; reference:cve,2014-0114; reference:url,struts.apache.org/release/2.3.x/docs/s2-020.html; classtype:attempted-admin; sid:30792; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts ParametersInterceptor classloader access attempt"; flow:to_server,established; content:"class"; nocase; http_client_body; content:"ClassLoader"; distance:0; fast_pattern; nocase; http_client_body; pcre:"/class(\x5b|%5b)\s*?([\x22\x27]|%22|%27)ClassLoader([\x22\x27]|%22|%27)\s*?(\x5d|%5d)/Pi"; metadata:service http; reference:cve,2014-0112; reference:url,cwiki.apache.org/confluence/display/WW/S2-021; classtype:attempted-admin; sid:30791; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts ParametersInterceptor classloader access attempt"; flow:to_server,established; content:"class"; nocase; http_client_body; content:"ClassLoader"; distance:0; fast_pattern; nocase; http_client_body; pcre:"/class(\x2e|%2e)ClassLoader(\x2e|%2e)/Pi"; metadata:service http; reference:bugtraq,65999; reference:cve,2014-0094; reference:cve,2014-0114; reference:url,struts.apache.org/release/2.3.x/docs/s2-020.html; classtype:attempted-admin; sid:30790; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts CookieInterceptor classloader access attempt"; flow:to_server,established; content:"ClassLoader"; fast_pattern:only; content:"class"; nocase; http_cookie; content:"ClassLoader"; distance:0; nocase; http_cookie; pcre:"/class([\x2e\x5b]|%2e|%5b)([\x22\x27]|%22|%27)?ClassLoader/Ci"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,67081; reference:cve,2014-0113; reference:url,cwiki.apache.org/confluence/display/WW/S2-021; classtype:attempted-admin; sid:30944; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"Transfer-Encoding: Chunked"; fast_pattern; nocase; content:"|0D 0A|"; distance:0 ; byte_test:8,>,2147483647,0,string,hex,relative; content:"|20|"; within:9; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:web-application-attack; sid:31405; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-APACHE Apache mod_log_config cookie handling denial of service attempt"; flow:to_server,established; content:"Cookie|3A| =|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51705; reference:cve,2012-0021; classtype:denial-of-service; sid:34048; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts allowStaticMethodAccess invocation attempt"; flow:to_server,established; content:".do"; nocase; http_uri; content:"allowStaticMethodAccess"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,60166; reference:cve,2013-1966; reference:cve,2013-2115; reference:url,struts.apache.org/development/2.x/docs/s2-014.html; classtype:attempted-admin; sid:29859; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; content:".do?redirect|3A|"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:29748; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 blacklisted method redirect"; flow:to_server,established; content:".do?redirectAction|3A|"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2248; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; reference:url,struts.apache.org/release/2.3.x/docs/s2-017.html; classtype:web-application-attack; sid:29747; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Roller allowStaticMethodAccess invocation attempt"; flow:to_server,established; content:".rol?"; nocase; http_uri; content:"pageTitle="; distance:0; nocase; http_uri; content:"allowStaticMethodAccess"; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,63928; reference:cve,2013-4212; classtype:attempted-user; sid:29649; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Roller OGNL injection remote code execution attempt"; flow:to_server,established; content:".rol?"; nocase; http_uri; content:"pageTitle="; distance:0; nocase; http_uri; content:"new "; distance:0; nocase; http_uri; pcre:"/new (java|org|sun)/Ui"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,63928; reference:cve,2013-4212; classtype:attempted-user; sid:29648; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Roller OGNL injection remote code execution attempt"; flow:to_server,established; content:".rol?"; nocase; http_uri; content:"pageTitle="; distance:0; nocase; http_uri; content:"@java.lang."; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,63928; reference:cve,2013-4212; classtype:attempted-user; sid:29647; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 remote code execution attempt"; flow:to_server,established; content:".action?action|3A|"; nocase; http_uri; content:".start|28 29|"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:web-application-attack; sid:27245; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_log_config cookie handling denial of service attempt"; flow:to_server,established; content:"Cookie|3A|"; fast_pattern:only; pcre:"/((^|\x3b)\s*?=\s*?(\x3b|$))/Cm"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51705; reference:cve,2012-0021; classtype:denial-of-service; sid:24698; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_log_config cookie handling denial of service attempt"; flow:to_server,established; content:"Cookie|3A| =|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51705; reference:cve,2012-0021; classtype:denial-of-service; sid:24697; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts parameters interceptor remote code execution attempt"; flow:to_server,established; content:"#context"; fast_pattern:only; http_uri; pcre:"/action\?.*?#context.*?(allowStaticMethodAccess|Runtime@getRuntime\x28\x29\.exec\x28)/iU"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3923; reference:url,struts.apache.org/2.x/docs/s2-009.html; classtype:attempted-user; sid:21522; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Byte-Range Filter denial of service attempt"; flow:established, to_server; content:"HEAD"; nocase; http_method; content:"Range|3A|bytes|3D|0-|2C|"; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14660; reference:cve,2005-2728; classtype:attempted-dos; sid:21260; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache server mod_proxy reverse proxy bypass attempt"; flow:to_server,established; content:"|3A 40|"; http_uri; pcre:"/^\w+?\x3A\x40/iU"; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3368; reference:cve,2011-4317; classtype:attempted-recon; sid:21214; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt - CookieInterceptor"; flow:to_server,established; content:".action"; fast_pattern:only; http_uri; content:"Cookie|3A|"; http_header; pcre:"/^[\x28\x5b][^\x3D]+?[\x29\x5d][^\x3D]*?\x3D/Cm"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,51257; reference:cve,2012-0392; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-admin; sid:21074; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts allowStaticMethodAccess invocation attempt"; flow:to_server,established; content:".action?"; nocase; http_uri; content:"allowStaticMethodAccess"; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0391; reference:url,issues.apache.org/jira/browse/WW-3668; classtype:attempted-admin; sid:21073; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt - GET parameter"; flow:to_server,established; content:".action?"; nocase; http_uri; content:"new "; distance:0; nocase; http_uri; pcre:"/new\s+(java|org)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2012-0391; reference:cve,2012-0393; reference:cve,2016-3081; reference:url,issues.apache.org/jira/browse/WW-3668; reference:url,struts.apache.org/docs/s2-032.html; classtype:attempted-admin; sid:21072; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_proxy reverse proxy information disclosure attempt"; flow:to_server,established; content:"|40|"; depth:1; http_uri; metadata:policy max-detect-ips drop, service http; reference:cve,2011-3368; reference:cve,2011-4317; classtype:attempted-recon; sid:20528; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Killer denial of service tool exploit attempt"; flow:to_server,established; content:"Range"; nocase; http_header; content:"bytes"; within:10; nocase; http_header; pcre:"/Range\s*\x3A\s*bytes=([\d\x2D]+\x2C){50}/Hsmi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,49303; reference:cve,2011-3192; reference:url,archives.neohapsis.com/archives/fulldisclosure/2011-08/0203.html; classtype:attempted-dos; sid:19825; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_isapi dangling pointer exploit attempt"; flow:to_server,established; content:"Proxy-Connection: Keep-Alive"; http_header; content:"Transfer-Encoding: chunked|0D 0A|Content-Length: 40334"; fast_pattern:only; http_header; content:".dll"; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:19124; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_isapi dangling pointer code execution attempt"; flow:to_server,established; content:"POST"; http_method; content:"/cgi-bin/smtpsend.dll"; fast_pattern:only; stream_size:client,>,1400; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,38494; reference:cve,2010-0425; classtype:attempted-admin; sid:19107; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache HTTP server mod_rewrite module LDAP scheme handling buffer overflow attempt"; flow:to_server,established; content:"ldap:/"; nocase; http_uri; pcre:"/\x3F[^\x3F]*\x3F[^\x3F]*\x3F[^\x3F]*\x3F[^\x3F]*\x3F/U"; metadata:policy max-detect-ips drop, service http; reference:cve,2006-3747; classtype:attempted-user; sid:17656; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts Information Disclosure Attempt"; flow:to_server,established; content:"/struts"; nocase; http_uri; content:"..|25|252f"; http_raw_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32104; reference:cve,2008-6505; classtype:attempted-recon; sid:17533; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat allowLinking URIencoding directory traversal attempt"; flow:to_server,established; content:"%ae/"; fast_pattern:only; content:"%ae/"; nocase; http_raw_uri; pcre:"/(((\xc0|\xe0\x80|\xf0\x80\x80)\xaf|\x2f)((\xc0|\xe0\x80|\xf0\x80\x80)\xae|\x2e){2}|(((\xc0|\xe0\x80|\xf0\x80\x80)\xae|\x2e){2}(\xc0|\xe0\x80|\xf0\x80\x80)\xaf|\x2f))/I"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30633; reference:cve,2008-2938; classtype:suspicious-filename-detect; sid:17387; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Byte-Range Filter denial of service attempt"; flow:established, to_server; content:"POST"; nocase; http_method; content:"Range|3A| bytes|3D|"; nocase; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,14660; reference:cve,2005-2728; classtype:attempted-dos; sid:17354; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8081 (msg:"SERVER-APACHE HP Performance Manager Apache Tomcat policy bypass attempt"; flow:to_server,established; content:"/manager"; nocase; content:"Authorization"; distance:0; nocase; content:"Basic"; within:50; nocase; content:"b3Z3ZWJ1c3I6T3ZXKmJ1c3Ix"; within:100; nocase; metadata:policy max-detect-ips drop, service http; reference:bugtraq,36954; reference:bugtraq,37086; reference:cve,2009-3548; reference:cve,2009-3843; classtype:attempted-admin; sid:17156; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat JK Web Server Connector long URL stack overflow attempt - 1"; flow:to_server,established; urilen:>1024; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; http_uri; metadata:policy max-detect-ips drop, service http; reference:bugtraq,22791; reference:cve,2007-0774; classtype:attempted-admin; sid:17107; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache http Server mod_tcl format string attempt"; flow:to_server,established; content:"application/x-www-form-urlencoded"; http_header; content:"abc=%25s%25s"; fast_pattern; metadata:policy max-detect-ips drop, service http; reference:bugtraq,20527; reference:cve,2006-4154; classtype:attempted-user; sid:16021; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Oracle WebLogic Apache Connector buffer overflow attempt"; flow:to_server,established; content:"POST"; http_method; content:"AAAAAAAAAAAAAAAAAAAA"; depth:100; metadata:policy max-detect-ips drop, service http; reference:bugtraq,30273; reference:cve,2008-3257; reference:url,www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html; classtype:attempted-admin; sid:15511; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE BEA WebLogic Apache Oracle connector Transfer-Encoding buffer overflow attempt"; flow:to_server,established; content:"POST"; http_method; content:"Transfer-Encoding|3A|"; http_header; content:!"|0A|"; within:256; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,31683; reference:cve,2008-4008; reference:url,support.bea.com/application_content/product_portlets/securityadvisories/2806.html; classtype:attempted-admin; sid:14771; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_imagemap cross site scripting attempt"; flow:to_server,established; content:".map/"; nocase; http_uri; content:"script"; nocase; pcre:"/\x2emap\/[^\n]*script[^\n]*script/i"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,26838; reference:cve,2007-5000; classtype:web-application-attack; sid:13302; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-APACHE Apache mod_cache denial of service attempt"; flow:established,to_server; content:"Cache-Control|3A|"; fast_pattern:only; pcre:"/^Cache-Control\x3A\s*(max-(age|stale)|min-fresh|s-maxage)\s*\x3D[^\d]+\x0A/smi"; metadata:policy max-detect-ips drop, service http; reference:bugtraq,24649; reference:cve,2007-1863; classtype:denial-of-service; sid:12591; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache SSI error page cross-site scripting attempt"; flow:to_server,established; content:"alert(document.cookie)"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, service http; reference:bugtraq,32476; reference:bugtraq,5847; reference:cve,2002-0840; reference:cve,2008-5278; reference:url,packetstormsecurity.com/files/cve/CVE-2002-0840; classtype:web-application-attack; sid:11687; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-APACHE Apache mod_rewrite buffer overflow attempt"; flow:to_server,established; content:"GET"; nocase; content:"ldap|3A|"; distance:0; pcre:"/ldap\x3A\x2F\x2F[^\x0A]*(%3f|\x3F)[^\x0A]*(%3f|\x3F)[^\x0A]*(%3f|\x3F)[^\x0A]*(%3f|\x3F)/smi"; metadata:policy max-detect-ips drop; reference:cve,2006-3747; classtype:attempted-admin; sid:11679; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache HTTP Server mod_proxy denial of service attempt"; flow:to_server,established; content:"Connection|3A 20|"; nocase; http_header; content:"|3B|"; within:20; http_header; pcre:"/Connection\x3a\s*[^\x0d\x0a]*\x3b/mHi"; metadata:service http; reference:cve,2014-0117; reference:url,httpd.apache.org/security/vulnerabilities_24.html; classtype:attempted-admin; sid:35314; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache HTTP Server mod_status heap buffer overflow attempt"; flow:to_server,established,only_stream; content:"/server-status"; fast_pattern:only; http_uri; detection_filter:track by_dst, count 21, seconds 2; metadata:impact_flag red, service http; reference:cve,2014-0226; reference:url,httpd.apache.org/security/vulnerabilities_24.html; classtype:web-application-activity; sid:35406; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-APACHE 404 OK response"; flow:to_client, established; content:"HTTP/1.1 404 OK"; depth:15; metadata:service http; reference:url,www.virustotal.com/en/file/fe08cdc834d8ba803e69d1010bf7b66a7e57df50709c4923c13975217009e112/analysis/; classtype:misc-attack; sid:38268; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; content:"|23|_memberAccess"; fast_pattern:only; http_uri; content:"new "; nocase; http_uri; pcre:"/new\s+(java|org|sun)/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3087; reference:cve,2017-12611; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; reference:url,struts.apache.org/docs/s2-053.html; classtype:attempted-admin; sid:39191; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; content:"|23|_memberAccess"; fast_pattern:only; http_uri; content:"@java.lang."; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3087; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; classtype:attempted-admin; sid:39190; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Continuum saveInstallation.action arbitrary command execution attempt"; flow:to_server,established; content:"/continuum/saveInstallation.action"; fast_pattern:only; http_uri; content:"installation.varValue="; nocase; metadata:policy max-detect-ips drop, service http; reference:url,issues.apache.org/jira/browse/continuum; classtype:attempted-admin; sid:39326; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat Commons FileUpload library denial of service attempt"; flow:to_server,established; content:"Content-type|3A 20|multipart"; fast_pattern:only; nocase; content:"boundary|3D|"; nocase; http_raw_header; isdataat:71,relative,rawbytes; content:!"|0A|"; within:71; http_raw_header; metadata:service http; reference:bugtraq,91453; reference:cve,2016-3092; classtype:denial-of-service; sid:39908; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Jetspeed Portal cross-site scripting attempt"; flow:to_server,established; content:"/jetspeed/portal/"; fast_pattern:only; http_uri; pcre:"/\x2fjetspeed\x2fportal\x2f[^?\x2f]*?([\x22\x27\x3c\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, service http; reference:cve,2016-0712; reference:url,portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0712; classtype:attempted-user; sid:40302; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat credential disclosure attempt"; flow:to_server,established; content:"/conf/users/admin-users.xml"; fast_pattern:only; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1003; reference:url,attack.mitre.org/techniques/T1081; reference:url,attack.mitre.org/techniques/T1214; classtype:attempted-admin; sid:40321; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat default credential login attempt"; flow:to_server,established; content:"/manager/html"; nocase; http_uri; content:"Authorization: Basic cm9sZTE6cm9sZTE="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:40320; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat default credential login attempt"; flow:to_server,established; content:"/manager/html"; nocase; http_uri; content:"Authorization: Basic Ym90aDp0b21jYXQ="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:40319; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat default credential login attempt"; flow:to_server,established; content:"/manager/html"; nocase; http_uri; content:"Authorization: Basic YWRtaW46YWRtaW4="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:40318; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat default credential login attempt"; flow:to_server,established; content:"/manager/html"; nocase; http_uri; content:"Authorization: Basic YWRtaW46Y2hhbmdldGhpcw=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:40317; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat default credential login attempt"; flow:to_server,established; content:"/manager/html"; nocase; http_uri; content:"Authorization: Basic dG9tY2F0OnRvbWNhdA=="; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:40316; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts xslt.location local file inclusion attempt"; flow:to_server,established; content:"/XSLAction.action"; fast_pattern:only; http_uri; content:"xslt.location="; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3082; reference:url,attack.mitre.org/techniques/T1220; reference:url,struts.apache.org/docs/s2-031.html; classtype:attempted-admin; sid:40359; rev:3;)
# alert tcp $EXTERNAL_NET 3690 -> $HOME_NET any (msg:"SERVER-APACHE Apache Subversion svnserve integer overflow attempt"; flow:to_client,established; content:"184467440737095516"; depth:18; content:"|3A|"; within:1; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-5259; reference:url,subversion.apache.org/security/CVE-2015-5259-advisory.txt; classtype:attempted-user; sid:40849; rev:1;)
# alert tcp $EXTERNAL_NET 3690 -> $HOME_NET any (msg:"SERVER-APACHE Apache Subversion svnserve integer overflow attempt"; flow:to_client,established; content:"42949672"; depth:8; content:"|3A|"; within:1; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-5259; reference:url,subversion.apache.org/security/CVE-2015-5259-advisory.txt; classtype:attempted-user; sid:40848; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3690 (msg:"SERVER-APACHE Apache Subversion svnserve integer overflow attempt"; flow:to_server,established; content:"184467440737095516"; depth:18; content:"|3A|"; within:1; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-5259; reference:url,subversion.apache.org/security/CVE-2015-5259-advisory.txt; classtype:attempted-user; sid:40847; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3690 (msg:"SERVER-APACHE Apache Subversion svnserve integer overflow attempt"; flow:to_server,established; content:"42949672"; depth:8; content:"|3A|"; within:1; distance:2; metadata:policy max-detect-ips drop, policy security-ips drop; reference:cve,2015-5259; reference:url,subversion.apache.org/security/CVE-2015-5259-advisory.txt; classtype:attempted-user; sid:40846; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache HTTP Server mod_http2 denial of service attempt"; flow:to_server,established; content:"|01 00 00 00 00 01|"; content:"|09 01 00 00 00 01|"; within:50; content:"|09 01 00 00 00 01|"; within:25; content:"|09 01 00 00 00 01|"; within:25; metadata:service http; reference:cve,2016-8740; classtype:denial-of-service; sid:41688; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; content:"|23|_memberAccess"; fast_pattern:only; http_header; content:"new "; nocase; http_header; pcre:"/new\s+(java|org|sun)/Hi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5638; reference:cve,2017-9791; reference:url,cwiki.apache.org/confluence/display/WW/S2-045; classtype:attempted-admin; sid:41819; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; content:"Content-Type:"; nocase; http_header; content:"ognl"; distance:0; fast_pattern; nocase; http_header; content:"multipart/form-data"; nocase; http_header; content:"%{"; http_raw_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5638; reference:cve,2017-9791; reference:url,cwiki.apache.org/confluence/display/WW/S2-045; classtype:attempted-admin; sid:41818; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; content:"|23|_memberAccess"; fast_pattern:only; http_client_body; content:"new "; nocase; http_client_body; pcre:"/new\s+(java|org|sun)/Pi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12611; reference:cve,2017-5638; reference:cve,2017-9791; reference:url,struts.apache.org/docs/s2-045.html; reference:url,struts.apache.org/docs/s2-048.html; reference:url,struts.apache.org/docs/s2-053.html; classtype:attempted-admin; sid:41923; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; content:"Content-Disposition:"; nocase; http_client_body; content:"%{"; distance:0; http_client_body; content:".ognl"; distance:0; fast_pattern; nocase; http_client_body; content:"form-data"; nocase; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5638; reference:cve,2017-9791; classtype:attempted-admin; sid:41922; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_session_crypto padding oracle brute force attempt"; flow:to_server,established,only_stream; content:"session="; fast_pattern:only; content:"session="; nocase; http_cookie; content:"AAAAAAAAAAA"; within:150; http_cookie; detection_filter:track by_src,count 20, seconds 2; metadata:service http; reference:cve,2016-0736; reference:url,attack.mitre.org/techniques/T1110; reference:url,httpd.apache.org/security/vulnerabilities_24.html; classtype:web-application-attack; sid:42133; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE httpd mod_mime content-type buffer overflow attempt"; flow:to_server,established; content:"Content-Type: "; http_header; content:"|5C 0D 0A|"; within:100; http_header; pcre:"/Content-Type:[^\r\n]{0,100}\x5C\x0D\x0A/iGH"; metadata:service http; reference:cve,2017-7679; classtype:attempted-user; sid:43547; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Rave information disclosure attempt"; flow:to_server,established; content:"/app/api/rpc/users/get"; fast_pattern:only; http_uri; content:"offset="; nocase; http_uri; metadata:service http; reference:cve,2013-1814; classtype:attempted-recon; sid:43247; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5672 (msg:"SERVER-APACHE Apache Qpid AMQP denial of service attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 0D|"; depth:14; offset:5; reference:cve,2015-0203; classtype:denial-of-service; sid:44156; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5672 (msg:"SERVER-APACHE Apache Qpid AMQP denial of service attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 02 01|"; content:"|00 00 00 00 00 00 00 02 08|"; distance:0; byte_extract:4,4,range1,relative; byte_test:4,<,range1,0,relative; reference:cve,2015-0203; classtype:denial-of-service; sid:44155; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt"; flow:to_server,established; content:"%25|7B|"; fast_pattern:only; http_client_body; pcre:"/(^|&)\w+=[^&]*%25\x7b/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12611; reference:url,struts.apache.org/docs/s2-053.html; classtype:attempted-admin; sid:44330; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt"; flow:to_server,established; content:"%25|7B|"; fast_pattern:only; content:"%25|7B|"; nocase; http_raw_uri; pcre:"/[?&]\w+=[^&]*%25\x7b/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12611; reference:url,struts.apache.org/docs/s2-053.html; classtype:attempted-admin; sid:44329; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt"; flow:to_server,established; content:"%25%7B"; fast_pattern:only; http_client_body; pcre:"/(^|&)\w+=[^&]*%25%7B/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12611; reference:url,struts.apache.org/docs/s2-053.html; classtype:attempted-admin; sid:44328; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts freemarker tag OGNL expression injection attempt"; flow:to_server,established; content:"%25%7B"; fast_pattern:only; content:"%25%7B"; nocase; http_raw_uri; pcre:"/[?&]\w+=[^&]*%25%7B/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-12611; reference:url,struts.apache.org/docs/s2-053.html; classtype:attempted-admin; sid:44327; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat remote JSP file upload attempt"; flow:to_server,established; content:"PUT"; http_method; content:".jsp/"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,100954; reference:cve,2017-12617; reference:url,bz.apache.org/bugzilla/show_bug.cgi?id=61542; classtype:attempted-user; sid:44531; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8983 (msg:"SERVER-APACHE Apache Solr xmlparser external doctype or entity expansion attempt"; flow:to_server,established; content:"/solr/"; depth:6; nocase; http_uri; content:"/select"; nocase; http_uri; content:"xmlparser"; fast_pattern:only; http_uri; pcre:"/<\x21(ENTITY|DOCTYPE)[^>]+?(SYSTEM|PUBLIC)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,101261; reference:cve,2017-12629; classtype:web-application-attack; sid:45084; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8983 (msg:"SERVER-APACHE Apache Solr RunExecutableListener arbitrary command execution attempt"; flow:to_server,established; content:"/solr/"; depth:6; nocase; http_uri; content:"/config"; nocase; http_uri; content:"solr.RunExecutableListener"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,101261; reference:cve,2017-12629; classtype:attempted-admin; sid:45083; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Sling framework information disclosure attempt"; flow:to_server,established; content:"POST"; http_method; content:"Content-Disposition"; nocase; http_client_body; content:":operation"; http_client_body; content:"delete"; http_client_body; content:":applyTo"; fast_pattern:only; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-0956; reference:url,exploit-db.com/exploits/39435/; reference:url,helpx.adobe.com/security/products/experience-manager/apsb16-05.html; classtype:web-application-attack; sid:45353; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache SSI error page cross-site scripting attempt"; flow:to_server,established; content:"Host: "; http_header; content:"alert(|27|"; within:75; nocase; http_header; metadata:service http; reference:bugtraq,5847; reference:cve,2002-0840; classtype:web-application-attack; sid:45307; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET [10001,10002] (msg:"SERVER-APACHE Apache Tomcat Java JmxRemoteLifecycleListener unauthorized serialized object attempt"; flow:to_server,established; content:"|AC ED 00 05|"; content:"/runtime/callsite/"; distance:0; content:"|00 0C|java.io.File"; distance:0; content:"|70 74 00 07|execute"; within:100; content:"|00 0A|loadFactor"; within:400; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service java_rmi; reference:cve,2016-8735; reference:url,github.com/frohoff/ysoserial; reference:url,tomcat.apache.org/security-6.html; classtype:attempted-user; sid:46071; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-APACHE FrontPage privilege escalation attempt"; flow:to_server,established; file_data; content:"/usr/local/apache/logs/fpcgisock"; fast_pattern:only; content:"mod_suexec.c"; content:"mod_suexec.so"; content:"FPScriptLog"; metadata:service smtp; classtype:attempted-admin; sid:46116; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-APACHE FrontPage privilege escalation attempt"; flow:to_client,established; file_data; content:"/usr/local/apache/logs/fpcgisock"; fast_pattern:only; content:"mod_suexec.c"; content:"mod_suexec.so"; content:"FPScriptLog"; metadata:service ftp-data, service http, service imap, service pop3; classtype:attempted-admin; sid:46115; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Jetspeed User Manager service unauthorized API access attempt"; flow:to_server,established; content:"/jetspeed/services/usermanager/users/"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2016-2171; classtype:policy-violation; sid:46336; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt"; flow:to_server,established; content:"/jetspeed/services/pagemanagement/info/.psml/_user/"; fast_pattern:only; http_uri; content:"title"; nocase; http_client_body; pcre:"/title(=|%3d)[^\x0d]*?([\x3c\x3e\x28\x29]|script|onload|src|%3c|%3e|%28|%29)/iP"; metadata:service http; reference:cve,2016-0711; classtype:attempted-user; sid:46327; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-APACHE Apache Jetspeed PageManagementService persistent XSS attempt"; flow:to_client,established; file_data; content:"/jetspeed/services/pagemanagement/info/.psml/_user/"; fast_pattern; nocase; content:"title"; within:200; content:"value"; within:50; pcre:"/value(=|%3d)[\x22\x27][^\x22\x27]*?([\x3c\x3e\x28\x29]|script|onload|src|%3c|%3e|%28|%29)/i"; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2016-0711; classtype:attempted-user; sid:46326; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache mod_http2 NULL pointer dereference attempt"; flow:to_server,established; file_data; content:"HTTP/1.0"; content:!"Host:"; http_header; content:"Upgrade: h2c"; fast_pattern:only; http_header; metadata:service http; reference:cve,2017-7659; classtype:denial-of-service; sid:46428; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts ognl remote code execution attempt"; flow:to_server,established; content:"ognl."; fast_pattern:only; http_uri; content:"${"; http_uri; content:"#request"; distance:0; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; classtype:attempted-user; sid:47691; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts java.lang.ProcessBuilder class access attempt"; flow:to_server,established; content:"${"; http_uri; content:"java.lang.ProcessBuilder"; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; classtype:attempted-user; sid:47690; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts java.net.Socket class access attempt"; flow:to_server,established; content:"${"; http_uri; content:"java.net.Socket"; distance:0; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; classtype:attempted-user; sid:47689; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt"; flow:to_server,established; content:"@java.lang.Runtime@getRuntime("; http_uri; content:".exec"; within:10; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; classtype:attempted-admin; sid:47634; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tika crafted HTTP header command injection attempt"; flow:to_server,established; content:"X-Tika-OCRtesseractPath"; http_header; content:"|00|"; within:200; http_header; pcre:"/X-Tika-OCRtesseractPath:[^\r\n]+?\x00/Hi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-1335; classtype:attempted-user; sid:47615; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt"; flow:to_server,established; content:"/jk-manager|3B|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11759; classtype:attempted-user; sid:48384; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt"; flow:to_server,established; content:"/jkmanager|3B|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11759; classtype:attempted-user; sid:48383; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt"; flow:to_server,established; content:"/jk-status|3B|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11759; classtype:attempted-user; sid:48382; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt"; flow:to_server,established; content:"/jkstatus|3B|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11759; classtype:attempted-user; sid:48381; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,8088,8090] (msg:"SERVER-APACHE Apache Hadoop YARN ResourceManager arbitrary command execution attempt"; flow:to_server,established; content:"/ws/v1/cluster/apps"; fast_pattern:only; http_uri; content:"am-container-spec"; nocase; http_client_body; content:"YARN"; http_client_body; content:"commands"; nocase; http_client_body; content:"command"; within:80; nocase; http_client_body; pcre:"/command.{0,2}\:.{0,10}(echo|bash)/Psmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,rapid7.com/db/modules/exploit/linux/http/hadoop_unauth_exec; classtype:attempted-user; sid:48474; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"#context"; distance:0; fast_pattern; content:".multipart/form-data"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5638; reference:cve,2017-9791; reference:url,cwiki.apache.org/confluence/display/WW/S2-045; classtype:attempted-admin; sid:49377; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"OgnlContext"; distance:0; content:"|23|_memberAccess"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5638; reference:cve,2017-9791; reference:url,cwiki.apache.org/confluence/display/WW/S2-045; classtype:attempted-admin; sid:49376; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts2 remote code execution attempt"; flow:to_server,established; content:".do?action|3A|"; nocase; http_uri; content:".start|28 29|"; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2013-2251; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:web-application-attack; sid:49885; rev:1;)