Skip to content

Instantly share code, notes, and snippets.

@stamparm stamparm/2017-5638.rules
Last active Jan 30, 2018

What would you like to do?
Snort rule for Apache Struts Remote Code Execution (2017-5638)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"WEB_SERVER Apache Struts Remote Code Execution (2017-5638)"; flow:established,to_server; content:"opensymphony"; fast_pattern:only; content:"Content-Type|3a 20|"; http_header; pcre:"/Content-Type: [ ]*[%$]{[^\r\n]*#\w+/Hi"; reference:cve,2017-5638; classtype:web-application-attack; sid:9000101; rev:2;)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.