Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Snort rule for "Drupalgeddon2 (CVE-2018-7600)"
alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Drupalgeddon2 (CVE-2018-7600)"; flow: to_server,established; content:"POST"; http_method; content:"markup"; fast_pattern; content: "/user/register"; http_uri; pcre:"/(access_callback|pre_render|lazy_builder|post_render)/i"; classtype:web-application-attack; sid:9000110; rev:1;)
You can’t perform that action at this time.