Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt"; flow:to_server,established; content:"@java.lang.Runtime@getRuntime("; http_uri; content:".exec"; within:10; http_uri; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2018-11776; reference:url,cwiki.apache.org/confluence/display/WW/S2-057; classtype:attempted-admin; sid:47634; rev:1;)
2. alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts OGNL getRuntime.exec static method access attempt"; flow:to_server,established; content:"(@java.lang.Runtime@getRuntime()).exec("; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:bugtraq,60345; reference:bugtraq,60346; reference:cve,2013-2134; reference:cve,2013-2135; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-admin; sid:27574; rev:4;)
Recommendations/Investigative actions
It is recommended to investigate the source of this traffic, consider blocking the source IP, and take necessary incident response actions. Ensure your Apache Struts applications are updated to the latest versions or have applied patches to mitigate these vulnerabilities.