SERVER-APACHE Apache Struts remote code execution attempt
This Snort rule is specifically crafted to detect attempts to exploit the Apache Struts remote code execution vulnerability. It looks for specific patterns in the HTTP payload, indicating an attempt to exploit this known vulnerability. If the patterns are detected in the payload of an established TCP connection on standard HTTP ports, the rule triggers an alert.
ID Number
49377
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Struts remote code execution attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"#context"; distance:0; fast_pattern; content:".multipart/form-data"; distance:0; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2017-5638; reference:cve,2017-9791; reference:url,cwiki.apache.org/confluence/display/WW/S2-045; classtype:attempted-admin; sid:49377; rev:1;)
MITRE ATT&CK Technique
-
Severity
medium
Recommendations/Investigative actions
Identify the source and destination and check if Apache Struts framework is installed (this can be part of JAVA applications or other software). If needed- consult with OT engineer or software vendor. This event can be triggered as part of legit traffic from an app - in that case event can be closed. Otherwise, it may be part of exploitation by malicious actor and attempt of leveraging some vulnerability. If no Apache Struts framework is involved, its false positive and can be disabled.