Yara Rule - 이 Yara 규칙은 Citrix Netscaler ADC CVE-2023-3519의 시도 시도에 따라 나타나는 포렌식 증거을 감지이 규칙은 지나치게 긴 URL을 사용하여 취약한 기능에 액세스하려는 시도를 식별그러나 그러한 시도가 성공했는지 여부는 확인되지 않습니다.
Yara 정의.
Yara Rule - This YARA rule detects forensic artifacts that appear following an attempted exploitation of Citrix NetScaler ADC CVE-2023-3519. The rule identifies an attempt to access the vulnerable function using an overly long URL, a potential sign of attempted exploitation. However, it does not confirm whether such an attempt was successful.
Yara definition.
Author: Florian Roth
https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/
date = "2023-07-27"
score = 65
/* overly long URL - all URLLEN values >= 200 */
$sr1 = /GWTEST FORMS SSO: Parse=0; URLLEN=([2-9][0-9]{2}|[0-9]{4,20}); Event: start=0x/
$s1 = ", type=1; Target: start=0x"```
[https://github.com/Neo23x0/signature-base/commit/f70276036c746ea653381f26a412e4243f031677](https://github.com/Neo23x0/signature-base/commit/f70276036c746ea653381f26a412e4243f031677)