SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt
This alert is triggered when an adversary is attempting to exploit CVE-2013-6810 a directory traversal vulnerability in the EMC Connectrix Manager via its FileUploadController.
EMC Connectrix Manager is a web application for managing Connectrix switches. A directory traversal vulnerability would allow an attacker to access files on the server that are outside the intended directory. The specific point of interest here is the "FileUploadController," which the attacker is trying to exploit by sending specially crafted filenames in their request.
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP EMC Connectrix Manager FileUploadController directory traversal attempt"; flow:to_server,established; content:"/FileUploadController"; fast_pattern:only; http_uri; content:"form-urlencoded"; http_header; content:"filename="; nocase; http_client_body; pcre:"/filename=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,64242; reference:cve,2013-6810; classtype:attempted-admin; sid:29391; rev:7;)
Recommendations/Investigative actions
It is recommended to immediately identify the server receiving this traffic and verify if it's running a vulnerable version of EMC Connectrix Manager. If so, patch or update the software to a non-vulnerable version.
Inspect server logs to determine if the attempted exploitation was successful. Look for signs of unauthorized access, data exfiltration, or further exploitation attempts.
Relations to other alerts