help on Custom signature base on the return traffic

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

help on Custom signature base on the return traffic

L1 Bithead

Dear Bros


     Anyone has the experience of create custom signature base on the return traffic? attached please find the PCAP file


     This is JBoss attack while custom want us to alert base on the server return traffic content pattern which means attack most likely successful


     Attacker: server:


L5 Sessionator

Hi Kowu,


Welcome to our community.


When looking at this pcap - it seems to be a capture of communication to the localhost: Host:; therefore I assume this was POC code. Firewall cannot help much in intercepting traffic from an endpoint to itself 🙂


I am not familiar with this attack, can you share more details on the attack technique itself? What is the attack doing, what are bits related to the attack... is the CVE associated with this technique or some other detail, is it described somewhere? Or, at least, what is the string you believe implies that server was attacked? I see pcap looks complete but I am not sure what is "good" and what is "bad" part of the response. It is better to find "bad" code to create signature for it, to avoid possible false positives.


Please share a bit more detail so we can help you better.


Best regards


Thanks luck!


it is related with Jboss CVE vul(Red Hat JBoss Commons Collections Library Remote Code Execution Vulnerability) ID 38507,


Customer want a custom signature to combine this CVE with the related reply session from the vicitm which means the attack is most likely successful


let's if the attack session hit the CVE, while the response traffic in the session from vicitm contain "http 1.1 200 ok" means the attack session is established or successful


this signature is to create a signature that can match the reply/response traffic and combine them,


Attacker: vicitm: (reponse traffic should be from to





please filter the ip address in the pcap file


Attacker:  http server:

any advise?


I never tried it, but I guess you could create a new vulnerability that looks at the HTTP response code 200 (http-rsp-code equals 200) and JBoss HTTP header (Pattern match http-rsp-headers on X-Powered-by ...). You could then create a combination signature that includes threat ID 38507 with the new signature you made.



  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!