Last active
October 16, 2018 22:06
-
-
Save stamparm/0cfd0d6a2a906fde2e1cb527262fb8d5 to your computer and use it in GitHub Desktop.
Snort rule for "Drupalgeddon2 (CVE-2018-7600)"
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Drupalgeddon2 (CVE-2018-7600)"; flow: to_server,established; content:"POST"; http_method; content:"markup"; fast_pattern; content: "/user/register"; http_uri; pcre:"/(access_callback|pre_render|lazy_builder|post_render)/i"; classtype:web-application-attack; sid:9000110; rev:1;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
References:
https://www.drupal.org/sa-core-2018-002
https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py
https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
https://research.checkpoint.com/uncovering-drupalgeddon-2/
https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/