Skip to content

Instantly share code, notes, and snippets.

@Epivalent

Epivalent/20240710T145021Z.md

Created July 10, 2024 12:50
Show Gist options
  • Save Epivalent/ec85a76e2431c2083410a82d2f6be8d2 to your computer and use it in GitHub Desktop.
Save Epivalent/ec85a76e2431c2083410a82d2f6be8d2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
20240710T145021Z.md

The Suricata rule you provided is intended to detect HTTP GET requests that might be attempting to exploit CVE-2024-36991. However, there are a few issues with the rule that could prevent it from matching HTTP GET requests as expected.

Here is the original rule for reference:

alert tcp any any -> any any (msg:"Attempted exploitation of CVE-2024-36991 - Splunk Enterprise path traversal"; http.method; content:"GET"; flowbits: set, cve-2024-36991; reference:url,https://nvd.nist.gov/vuln/detail/CVE-2024-36991; sid:1007202401; rev:1;)

Issues and Fixes

  1. http.method keyword usage: The http.method keyword in Suricata rules does not exist. Instead, you should use the http_method keyword to match specific HTTP methods.

  2. Content Matching: The content:"GET" clause is redundant if you're using the correct http_method keyword because http_method already matches specific HTTP methods like GET.

  3. Flow Direction: Ensure that your traffic direction (tcp any any -> any any) makes sense for your network setup and where you expect to see this traffic.

Here's a revised version of your rule:

alert http any any -> any any (msg:"Attempted exploitation of CVE-2024-36991 - Splunk Enterprise path traversal"; http_method; content:"GET"; flowbits:set,cve-2024-36991; reference:url,https://nvd.nist.gov/vuln/detail/CVE-2024-36991; sid:1007202401; rev:2;)

However, since we are looking specifically for an HTTP GET request and assuming we want to detect some form of path traversal attempt within the URL or headers, we might need more specific content matching related to typical path traversal patterns (e.g., "../").

A more refined example might look like this:

alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Attempted exploitation of CVE-2024-36991 - Splunk Enterprise path traversal"; flow:to_server,established; http_method; content:"GET"; uricontent:"../"; nocase; flowbits:set,cve_2024_36991_attempted_exploit; reference:url,https://nvd.nist.gov/vuln/detail/CVE-2024-36991; classtype:web-app-attacks; sid:1007202402; rev:1;)

Explanation:

  1. Protocol Specification: Changed from tcp to http, which is more appropriate for detecting HTTP-specific traffic.

  2. Flow Direction: Specified $HOME_NET and $EXTERNAL_NET, which are common variables used in Suricata configurations representing internal and external networks respectively.

  3. Port Specification: Used $HTTP_PORTS, which typically includes ports 80 and 443 among others.

  4. Flow Control: Added flow:to_server,established, ensuring that only established connections going towards servers are inspected.

  5. URI Content Matching: Added uricontent:"../", which looks for typical directory traversal patterns in URLs.

  6. Case Insensitivity: Added nocase option to make the pattern matching case-insensitive.

  7. Classification Type & SID/Revision Update: Updated classification type (classtype:web-app-attacks) and incremented SID/revision numbers appropriately.

This should provide a better match for potential exploitation attempts involving directory traversal via an HTTP GET request targeting CVE‑2024‑36991 in Splunk Enterprise or similar vulnerabilities.

Wed 10 Jul 14:50:21 CEST 2024 - why doesn't this suricata rule match a HTTP GET request? alert tcp any any -> any any (msg:"Attempted exploitation of CVE-2024-36991 - Splunk Enterprise path traversal"; http.method; content:"GET"; flowbits: set, cve-2024-36991; reference:url,https://nvd.nist.gov/vuln/detail/CVE-2024-36991; sid:1007202401; rev:1;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment