Apache struts exploit detection

Zeek
1

Hi all

For the likes of the apache struts web application attack that the actual exploit is contained within a web http GET request. Or let’s say any web app attack that is embedded within the referer field like embedded JavaScript can bro actually view or log that level of info?

I can see bro will see things like http user agent fields and get or post request but for the actual malicious code embedded further in the request I’m assuming isn’t captured?

My ips obviously captures that alert data and I can see the the exploit but the bro data from the http log I’ll only see “GET / HTTP1.1” and that’s all

Cheers
John

2

Here’s an example script that will detect CVE-2017-5638 exploit attempts and log the contents of the header.

https://github.com/set-element/misc-scripts/blob/master/CVE-2017-5638_struts.bro

For future reference the key component is:

event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=5

{

look if the connection is from offsite and the value is content-type

if ( !Site::is_local_addr(c$id$orig_h) && name == “CONTENT-TYPE” && detection_string in value )

{

NOTICE([$note=HTTP_StrutsAttack, $src=c$id$orig_h, $msg=fmt(“CVE-2017-5638/Struts attack from %s seen: %s”, c$id$orig_h, value)]);

}

}

Please note that this is not my script, it is set-element’s. Depending on the situation you may want to check the src/dst to add exemptions (vulnerability scanning boxes?), ignore or specifically monitor Site::is_private_addr src/dsts, add $identifier/$suppress_for to the NOTICE, replace $src=… with $conn=c to get more details in the notice log, etc. All depends on what you want, those are just things I would do.

Jon

3

Deploy this outstanding bro detection script for this vulnerability:

https://github.com/initconf/CVE-2017-5638_struts.git

4

And note that Aashish made it so you can install it using bro-pkg :slight_smile:

Johanna

5

I just wanted to add onto this thread and mention that it appears there is a new way to exploit CVE-2017-5638 which neither of the prior scripts are currently looking for. I’ve opened #3 on Aashish’s repo to provide more details.

Jon