Weekly Community Review - November 9, 2023

Greetings all! It’s Suricon week - where members of the Suricata IDS community get together to discuss and collaborate! In that spirit, we had 148 rule submissions to ET Open last week, and we’d like to discuss a few!

Lots of CVE coverage in there - it seems a new vulnerable target and exploit in the wild every day! As we said last week just a ton of intel and protections contributed by the community spraying to all fields. For Apache ActiveMQ CVE-2023-46604, SIDs 2049045 (RCE attempt alert) and 2049046 (XML Configuration downloaded - possible RCE) from the great shared work of @X1r0z!

From F5 CVE-2023-46747 SIDs 2048925 (AJP request smuggling attempt), 2049057 (AJP smuggling request - sets flowbit), 2049058 (unauthenticated RCE for user creation) and 2049059 (unauthenticated RCE for user deletion) from this @praetorian share…

And Atlassian Confluence #CVE-2023-22518 (auth bypass with ability of potential data destruction) - we’ve got coverage on possible (2049096) and successful (2049097) inbound exploit attempts as well as multiple SIDs (2049080-2049085) to detect presence of vulnerable versions of Confluence within your monitored networks!

confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html

Also continued help from so many great researchers on Cisco CVEs. Now CVE-2023-20273 - (separate from 20198) has ET coverage in SID 2049007 (inbound exploit attempt against the vulnerable webUI endpoint) thanks to so many intel sharing researchers! @leak_ix @joel_land

I mentioned suricon - big thanks to @OISFoundation for their efforts putting on virtual Suricon this year!

Speaking of Suricata, we’re working hard to prepare our rule fork to fully support a new ruleset for Suricata 7. Come along on that journey with us as we investigate the changes that need to be made to current rules and talk about some of the challenges we have - like dichotomy of http/2 support between versions:

Many new DNS and TLS SNI signatures last week thanks to work from our friends @elasticseclabs (h/t @greglesnewich) - SIDs 2049013-2049037 cover SockRacket KANDYKORN domains found through their great work.

Thanks to @cpresearch (h/t @adorais) for the guidance for SIDs 2049010 Tunna webshell activity outbound) and FOXSHELL webshell activity (2049011-2049012) as well as APT34 Related SSD Backdoor alerts (2049047-2049048) all from their #ScarredManticore writeup!

That’s it for us - thanks all, be well!