Suricata Custom Rules

Solr RCE CVE-2019-0193

1
2
3
4
5
6
7
8
9
# Solr POST RCE CVE-2019-0193
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL RULES EXPLOIT Solr RCE CVE-2019-0193 POST"; flow:to_server,established; flowbits:set,CVE-2019-0193.post.request; content:"POST"; http_method; fast_pattern; content:"/solr"; http_uri; content:"/config"; http_uri; content:"params.resource.loader.enabled"; http_client_body; classtype:shellcode-detect; sid:3020016; rev:1; metadata:attack_target web_server, signature_severity Critical, direction outside_to_inside, created_at 2019_10_31, updated_at 2019_10_31, author Canon, tag RCE, tag CVE-2019-0193, tag http, tag exploit, tag Solr;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL RULES EXPLOIT Solr RCE CVE-2019-0193 POST Successful"; flow:from_server,established; flowbits:isset,CVE-2019-0193.post.request; content:"200"; http_stat_code; classtype:shellcode-detect; sid:3020017; rev:1; metadata:attack_target web_server, signature_severity Critical, direction outside_to_inside, created_at 2019_10_31, updated_at 2019_10_31, author Canon, tag RCE, tag CVE-2019-0193, tag http, tag exploit, tag Solr;)

# Solr GET RCE CVE-2019-0193
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL RULES EXPLOIT Solr RCE CVE-2019-0193 GET"; flow:to_server,established; flowbits:set,CVE-2019-0193.get.request; content:"GET"; http_method; content:"/solr"; http_uri; fast_pattern; content:"/select?"; http_uri; content:"wt=velocity"; http_uri; content:"java.lang.Runtime"; http_uri; content:"getRuntime().exec"; http_uri; classtype:shellcode-detect; sid:3020018; rev:1; metadata:attack_target web_server, signature_severity Critical, direction outside_to_inside, created_at 2019_10_31, updated_at 2019_10_31, author Canon, tag RCE, tag CVE-2019-0193, tag http, tag exploit, tag Solr;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"LOCAL RULES EXPLOIT Solr RCE CVE-2019-0193 GET Successful"; flow:from_server,established; flowbits:isset,CVE-2019-0193.get.request; content:"200"; http_stat_code; classtype:shellcode-detect; sid:3020019; rev:1; metadata:attack_target web_server, signature_severity Critical, direction outside_to_inside, created_at 2019_10_31, updated_at 2019_10_31, author Canon, tag RCE, tag CVE-2019-0193, tag http, tag exploit, tag Solr;)