Ruleset-Update; RosettaFlash + some JAVA-Serialized-Object POST - sigs

[mex]

Hi guys,

new sigs online; most interesting is probably that
RosettaFlash-Sig; @mikispag helped me getting the regex
right (gracias, senor)

btw, there is also an rails-update available, adressing that
issue (https://github.com/rails/rails/pull/16109) but there is no
official note on the railssec-ml.


new signatures are available and pushed to the repo:
https://bitbucket.org/lazy_dogtown/doxi-rules/src

full blogpost:

http://blog.dorvakt.org/2014/07/ruleset-update-rosettaflash-some-java.html



[+] new sigs:
42000385 :: app_server.rules :: RosettaFlash JSONP-Exploit callback=CWS
42000381 :: web_server.rules :: Meterpreter-UA detected
42000382 :: web_server.rules :: local File access via file://
42000383 :: app_server.rules :: JAVA-Serialized-Object POST
42000384 :: app_server.rules :: JAVA-Serialized-Object POST / Class=*

--------------------------------------------------


#
# sid: 42000385 | date: 2014-07-17 - 09:45
#
# http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
# http://miki.it/RosettaFlash/RosettaFlash.pdf
# http://quaxio.com/jsonp_handcrafted_flash_files/
#
# credits to @mikispag helped me getting the regex right
#
MainRule "rx:^CWS\w{5}hC\w{50,}" "msg:RosettaFlash JSONP-Exploit
callback=CWS" "mz:$ARGS_VAR:callback" "s:$ATTACK:8" id:42000385 ;

#
# sid: 42000382 | date: 2014-05-21 - 23:38
#
# http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf
#
MainRule "str:file://" "msg:local File access via file://"
"mz:BODY|ARGS" "s:$UWA:8" id:42000382 ;

#
# sid: 42000384 | date: 2014-06-22 - 14:57
#
# http://www.exploit-db.com/exploits/28713/
#
MainRule "str:class=" "msg:JAVA-Serialized-Object POST / Class=*"
"mz:$HEADERS_VAR:Content-Type " "s:$ATTACK:8" id:42000384 ;


#
# sid: 42000383 | date: 2014-06-22 - 14:57
#
# http://www.exploit-db.com/exploits/28713/
#
MainRule "str:java-serialized-object" "msg:JAVA-Serialized-Object
POST" "mz:$HEADERS_VAR:Content-Type " "s:$ATTACK:8" id:42000383 ;