I believe I have a signature worked out for the nasty PHP-CGI bug. (CVE-2012-1823)
The vulnerability is executed by using arguments in the URL of PHP scripts. (Example: http://www.facebook.com/?-s would show you the source code if it was vulnerable. Facebook has since fixed it and planted a nice easter egg.)
Cisco has not released an official signature for this yet. This is a custom signature of my own device and I make no claims or waranty of it's fitness.
Start by creating a custom sig:
Signature Type = Vulnerability
Engine Type = Service HTTP
Specify Request Regex = Yes
Request Regex = [\?][\-][acndefhilmrBRFEHTsvwz]
Service Ports = 80 (*note that https urls are encrypted and you wont get any hits by enabling 443)
Set Severity to high and tell it to produce an alert.
Next create and event action filter to remove the produce alert action for threats triggered leaving your network. (we only care about our php installations, not everyone esle's.) Watch it for a few days, if you have no false positives, set it up to drop packets.
Good Luck. Let me know if anyone see's a flaw in this signature design.
Thank you for letting us know about the custom signature, we appreciate the input. I have added this CVE to our system to be addressed as soon as possible.
The signature you listed makes sense, however it seems to me that the regular expression might be a little loose for use on some busy networks.
Currently it is looking for three characters anywhere in the request.
I would probably move the request regex to the URI Regex field. I would also add the trailing "/" to the regex to tighten it a little more. We could also move the signature to the #WEBPORTS service-ports variable, to cover ports 8080,8000, etc.
Before we release signatures we perform rigorous false positive testing however, so we will need to take our own signature through this process before you see it in the signature package.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...