27942

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Sophos Web Protection Appliance sblistpack arbitrary command execution attempt"; flow:to_server,established; content:"c=blocked"; fast_pattern:only; http_uri; content:"action=continue"; nocase; http_uri; content:"domain="; nocase; http_client_body; pcre:"/domain=[^&]*?([\x3b\x60]|\x24\x28|%3b|%60|%24%28)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,62263; reference:bugtraq,62265; reference:cve,2013-4983; reference:cve,2013-4984; reference:url,www.sophos.com/en-us/support/knowledgebase/119773.aspx; classtype:attempted-admin; sid:27942; rev:3;)

-

High

It is recommended to ensure that the Sophos Web Protection Appliance is up-to-date with the latest security patches to mitigate known vulnerabilities. Inspect logs to determine if the attempted exploitation was successful. Look for signs of unauthorized access or further exploitation attempts. If possible, block communication Attempts from external networks, or enable access from specific external devices only.