Skip to content

Instantly share code, notes, and snippets.

@stamparm
Last active January 30, 2018 05:29
Show Gist options
  • Save stamparm/a9cf56d40ac3ce5e48e36971946093f8 to your computer and use it in GitHub Desktop.
Save stamparm/a9cf56d40ac3ce5e48e36971946093f8 to your computer and use it in GitHub Desktop.
Snort rule for Apache Struts Remote Code Execution (2017-5638)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"WEB_SERVER Apache Struts Remote Code Execution (2017-5638)"; flow:established,to_server; content:"opensymphony"; fast_pattern:only; content:"Content-Type|3a 20|"; http_header; pcre:"/Content-Type: [ ]*[%$]{[^\r\n]*#\w+/Hi"; reference:cve,2017-5638; classtype:web-application-attack; sid:9000101; rev:2;)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment