Et rule 2021992 - Magic-SigExplorer

""ET WEB_SPECIFIC_APPS Possible Joomla SQLi Attempt (CVE-2015-7297 CVE-2015-7857 CVE-2015-7858)""

SID: 2021992

Revision: 1

Class Type: attempted-admin

Metadata: created_at 2015_10_22, cve CVE_2015_7297, updated_at 2015_10_22

Reference:

cve
2015-7858

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HTTP_SERVERS

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "GET"
Value: "option="
Value: "view="
Value: "list[select]="
Value: !"Referer|3a|"

Within:

PCRE: "/&list[select]=[^\r\n&]*(?:(?:S(?:HOW (?:C(?:UR(?:DAT|TIM)E|HARACTER SET)|(?:VARI|T)ABLES)|ELECT (?:FROM|USER))|U(?:NION SELEC|PDATE SE)T|DELETE FROM|INSERT INTO)|S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/*.+*\/)?/Ui"

Special Options:

http_method
http_uri
nocase
http_uri
nocase
http_uri
nocase
fast_pattern
http_header

source