Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.<\/li>\n<\/ul>\n <\/p>\n
NSFOCUS Threat Situation Awareness Platform (TSA)<\/strong><\/p>\nAccess BSA and then select Rule Engine and create a network intrusion detection rule, with parameters as follows:<\/p>\n
\n- Mode: Expert<\/li>\n
- Category: Network intrusion<\/li>\n
- SQL: select sip, dip, sum(last_times) as atk_count, sip, dip, min(timestamp) as start_time, max(timestamp) as end_time, concat_agg(related_id_list) as related_id_list from internal_app_bsaips.ipslog where rule_id =24298 group by sip, dip<\/li>\n<\/ul>\n
Click Next<\/strong> and then set parameters as follows on the Attribute Configuration<\/strong> page<\/p>\n\n- Name: struts_057 vulnerability attack<\/li>\n
- Risk Level: High<\/li>\n
- Phase: Exploitation<\/li>\n
- Timeout: 1800 (default)<\/li>\n
- Duration: 3600 (default)<\/li>\n
- Merged Attribute: sip, dip<\/li>\n
- Event Type: System intrusion \u2013 exploit<\/li>\n
- Rule Description: This event is an attack launched by exploiting a struts 2 vulnerability.<\/li>\n
- Recommendation: An attack initiated by our own assets indicates that such assets have been compromised. If an attack targets our assets deployed with the struts service, please check whether such assets contain the vulnerability described in event details.<\/li>\n<\/ul>\n
Click Complete<\/strong> to complete configuration of the network instruction detection rule and enable the rule in the rule list.<\/p>\nCreate a website security rule as follows:<\/p>\n
\n- Mode: Expert<\/li>\n
- Category: Website security<\/li>\n
- SQL: select sip\uff0cdip,LOWER(protocol_type) as protocol_type,LOWER(domain) as domain,dport as dport ,uri as uri ,event_type as event_type_sub,min(timestamp) as start_time,max(timestamp) as end_time,sum(count_num) as atk_count,concat_agg(related_id_list) as related_id_list from internal_app_bsawss.waf_webseclog where rule_id =27004870 group by sip,dip,protocol_type,domain,dport,uri,event_type<\/li>\n<\/ul>\n
Click Next<\/strong> and then set parameters as follows on the Attribute Configuration<\/strong> page<\/p>\n\n- Name: struts_057 vulnerability attack<\/li>\n
- Risk Level: Medium<\/li>\n
- Phase: Exploitation<\/li>\n
- Timeout: 1800 (default)<\/li>\n
- Duration: 3600 (default)<\/li>\n
- Merged Attribute: sip, dip, protocol_type, domain, dport, uri<\/li>\n
- Event Type: System intrusion \u2013 exploit<\/li>\n
- Rule Description: This event is an attack launched by exploiting a struts 2 vulnerability.<\/li>\n
- Recommendation: An attack initiated by our own assets indicates that such assets have been compromised. If an attack targets our assets deployed with the struts service, please check whether such assets contain the vulnerability described in event details.<\/li>\n<\/ul>\n
Click Complete<\/strong> to complete configuration of the website security rule and enable the rule in the rule list.<\/p>\n <\/p>\n
NSFOCUS Enterprise Security Platform (ESP)<\/strong><\/p>\nUpdate the “Apache struts 2 vulnerability exploitation” rule:<\/p>\n
\n- Log in to ESP, choose Security Analysis > Event Rules<\/strong>, find the rule regarding Apache struts 2 vulnerability exploitation, and then click the edit button.<\/li>\n
- In the Rule Configuration<\/strong> area, click Set<\/strong>.<\/li>\n
- In the Filtering Conditions<\/strong> dialog box, add a rule ID 27004870<\/strong> and click OK<\/strong> to close the dialog box.<\/li>\n
- Click OK <\/strong>to complete configuration.<\/li>\n<\/ul>\n
<\/p>\n
NSFOCUS Threat Analysis and Management Platform (TAM, New Version)<\/strong><\/p>\nEditing the “Apache struts 2 Vulnerability Attack Event” Rule<\/p>\n
Note: If UTS has been upgraded, you can directly modify contents of the “Apache struts 2 vulnerability attack event” node by adding the latest rule of UTS regarding the struts 2 (S2-057) vulnerability.<\/p>\n
\n- Navigate to the rule configuration file (\/home\/bsauser\/BSA\/apps\/bsa_tam2\/conf) on TAM, back up mergeconf.xml<\/strong>, and then open this file by using vi.<\/li>\n
- Use \/struts 2 to find the “Apache struts 2 vulnerability attack event” node. Add 24298<\/strong> in the parentheses following rule_id in<\/strong> and save the changes. Then the rule automatically takes effect.<\/li>\n<\/ul>\n
Creating a Custom Scenario<\/p>\n
Note: If UTS has not been upgraded or you want to trace previous exploitation of the struts 2 vulnerability (S2-057), you can use the custom scenario function of TAM.<\/p>\n
\n- Access BSA and select the TAM app. Then choose Scenario Management > Scenario Configuration > Custom Scenario<\/strong> and click New<\/strong>.<\/li>\n
- After creating a custom scenario, edit it by adding the following content in SQL format (Traceback Scope<\/strong> and Traceback Start Time<\/strong> can be modified) and then click OK<\/strong>:<\/li>\n<\/ul>\n
select sip,dip,-1 as sport,dport,min(timestamp) as start_time,max(timestamp) as end_time,first_value(sip_int) as sipv4_int,first_value(srccountryname) as src_country,first_value(srcsubdivisionname) as src_province,first_value(srccityname) as src_city,first_value(dip_int) as dipv4_int,first_value(dstcountryname) as dst_country,first_value(dstsubdivisionname) as dst_province,first_value(dstcityname) as dst_city from internal_app_bsatam2.tam_httplog where method=’GET’ and (uri like ‘%java.lang.Runtime%’ or uri like ‘%java.lang.ProcessBuilder%’) group by sip,dip,dport<\/p>\n
<\/p>\n
Scanning Configuration on RSAS<\/strong><\/p>\nRSAS users should visit the following link to download the latest plug-in to address this vulnerability.<\/p>\n
The following is a link to the latest rule base that contains the S2-057 rule for RSAS V6.0 users:<\/p>\n
http:\/\/update.nsfocus.com\/update\/downloads\/id\/22281<\/a><\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Vulnerable-in-Linux.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Patch-released.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Redirected-and-invoked.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/execution-chain.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/ConditionParse.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/how-the-call-stack-works-1.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/parameters-in-evaluation.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/RCE-exploit-succeeds.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Create-a-custom-rule-in-WAF.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Set-a-name-for-the-rule.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Other-configurations.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/constraints.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Create-a-custom-policy.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Name-custom-policy.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Apply-the-policy.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Rule-upgrade.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Upload.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/Upgraded.png\")
<\/a><\/p>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2018\/08\/WVSS-Upgrade.png\")
<\/a><\/p>\n