Thread Info
  • State Not Answered
  • Replies 2 replies
  • Subscribers 14 subscribers
  • Views 164 views
  • Users 0 members are here
Options
Suggested

About Oracle WebLogic Deserialization (CVE-2018-2893)

Charley Cheng

Our IDS alerted a network attack, Oracle WebLogic Deserialization (CVE-2018-2893), from an PC.

We wonder Sophos endpoint can find out the attack process or program in the PC?

Parents
  • 0

    Thank you for reaching out to the community forum.

    Can you confirm what Endpoint Subscription you're currently using on the device? With our Sophos IX advance with XDR, you can find the historical event via the threat analysts center. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • 0 in reply to GlennSen

    Following is the rule used and alerted by our IDS, we can't confirm it is a false alarm or not so want to double confirm by scanning the PC by Sophos Endpoint, but if there is no any pattern or ruleset for such malware in Sophos Endpoint, scanning the PC is meaningless.
    alert tcp any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic Deserialization (CVE-2018-2893)"; flow:established,to_server; content:"t3|20|12"; depth:5; fast_pattern; content:"AS|3a|255"; distance:0; content:"HL|3a|19"; distance:0; content:"MS|3a|10000000"; distance:0; content:"PU|3a|t3|3a|//"; distance:0; reference:cve,2018-2893; reference:url,github.com/pyn3rd/CVE-2018-2893; classtype:attempted-admin; sid:2025929; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2018_08_01, cve CVE_2018_2893, deployment Datacenter, signature_severity Major, updated_at 2024_05_21;)

Reply
  • 0 in reply to GlennSen

    Following is the rule used and alerted by our IDS, we can't confirm it is a false alarm or not so want to double confirm by scanning the PC by Sophos Endpoint, but if there is no any pattern or ruleset for such malware in Sophos Endpoint, scanning the PC is meaningless.
    alert tcp any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic Deserialization (CVE-2018-2893)"; flow:established,to_server; content:"t3|20|12"; depth:5; fast_pattern; content:"AS|3a|255"; distance:0; content:"HL|3a|19"; distance:0; content:"MS|3a|10000000"; distance:0; content:"PU|3a|t3|3a|//"; distance:0; reference:cve,2018-2893; reference:url,github.com/pyn3rd/CVE-2018-2893; classtype:attempted-admin; sid:2025929; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2018_08_01, cve CVE_2018_2893, deployment Datacenter, signature_severity Major, updated_at 2024_05_21;)

Children
No Data
Unfiltered HTML