Talos Rules 2018-08-23
Talos is aware of vulnerabilities affecting Apache Struts.

A coding deficiency exists in Apache Struts that may lead to remote code execution. Reference: https://cwiki.apache.org/confluence/display/WW/S2-057

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 29639, 39190 through 39191 and 47634.

Change logs

2018-08-23 19:29:51 UTC

Snort Subscriber Rules Update

Date: 2018-08-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47634 <-> ENABLED <-> SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt (server-apache.rules)

Modified Rules:


 * 1:29639 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (server-apache.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39190 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)

2018-08-23 19:29:51 UTC

Snort Subscriber Rules Update

Date: 2018-08-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47634 <-> ENABLED <-> SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt (server-apache.rules)

Modified Rules:


 * 1:29639 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (server-apache.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39190 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)

2018-08-23 19:29:51 UTC

Snort Subscriber Rules Update

Date: 2018-08-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47634 <-> ENABLED <-> SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt (snort3-server-apache.rules)

Modified Rules:


 * 1:29639 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (snort3-server-apache.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (snort3-server-apache.rules)
 * 1:39190 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (snort3-server-apache.rules)

2018-08-23 19:29:51 UTC

Snort Subscriber Rules Update

Date: 2018-08-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47634 <-> ENABLED <-> SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt (server-apache.rules)

Modified Rules:


 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:29639 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (server-apache.rules)
 * 1:39190 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)

2018-08-23 19:29:51 UTC

Snort Subscriber Rules Update

Date: 2018-08-23

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47634 <-> ENABLED <-> SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt (server-apache.rules)

Modified Rules:


 * 1:29639 <-> DISABLED <-> SERVER-APACHE Apache Struts wildcard matching OGNL remote code execution attempt (server-apache.rules)
 * 1:39190 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)