stamparm/drupalgeddon2.rules

Last active October 16, 2018 22:06

Star 2 You must be signed in to star a gist
Fork 0 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/stamparm/0cfd0d6a2a906fde2e1cb527262fb8d5.js"></script>
Save stamparm/0cfd0d6a2a906fde2e1cb527262fb8d5 to your computer and use it in GitHub Desktop.

Download ZIP

Snort rule for "Drupalgeddon2 (CVE-2018-7600)"

Raw

drupalgeddon2.rules

alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Drupalgeddon2 (CVE-2018-7600)"; flow: to_server,established; content:"POST"; http_method; content:"markup"; fast_pattern; content: "/user/register"; http_uri; pcre:"/(access_callback|pre_render|lazy_builder|post_render)/i"; classtype:web-application-attack; sid:9000110; rev:1;)

Author

stamparm commented Apr 13, 2018 •

edited

References:

https://www.drupal.org/sa-core-2018-002
https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py
https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
https://research.checkpoint.com/uncovering-drupalgeddon-2/
https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment