SERVER-APACHE Apache Struts remote code execution attempt
This Snort rule is specifically crafted to detect attempts to exploit specific patterns associated with Apache Struts remote code execution vulnerabilities in the HTTP URI of an established TCP connection on standard HTTP ports. If the patterns are detected, the rule triggers an alert.
ID Number
39190
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; content:"|23|_memberAccess"; fast_pattern:only; http_uri; content:"@java.lang."; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3087; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; reference:url,struts.apache.org/docs/s2-033.html; classtype:attempted-admin; sid:39190; rev:3;)
MITRE ATT&CK Technique
-
Severity
medium
Recommendations/Investigative actions
Identify the source and destination and check if Apache Struts framework is installed (this can be part of JAVA applications or other software). If needed- consult with OT engineer or software vendor. This event can be triggered as part of legit traffic from an app - in that case event can be closed. Otherwise, it may be part of exploitation by malicious actor and attempt of leveraging some vulnerability. If no Apache Struts framework is involved, its false positive and can be disabled.