Skip to content

Add React2Shell Snort Mapping #3822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nasbench merged 3 commits into from
Dec 8, 2025
Merged

Add React2Shell Snort Mapping #3822

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
41ce13d
Create cisco_secure_firewall___react_server_components_rce_attempt.yml
nasbench Dec 8, 2025
47d0e7b
Update cisco_secure_firewall___react_server_components_rce_attempt.yml
nasbench Dec 8, 2025
0c3453e
Update cisco_secure_firewall___react_server_components_rce_attempt.yml
nasbench Dec 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 87 additions & 0 deletions detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
name: Cisco Secure Firewall - React Server Components RCE Attempt
id: d36459b1-7901-401a-a67e-44426c15b168
version: 1
date: '2025-12-08'
author: Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
description: |
This analytic detects exploitation activity of CVE-2025-55182 using Cisco Secure Firewall Intrusion Events.
It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65554 (React Server Components remote code execution attempt) is triggered
If confirmed malicious, this behavior could be indicative of a potential exploitation of CVE-2025-55182.
data_source:
- Cisco Secure Firewall Threat Defense Intrusion Event
search: |
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id = 65554
| fillnull
| stats min(_time) as firstTime
max(_time) as lastTime
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src_ip) as src_ip
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
by dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___react_server_components_rce_attempt_filter`
how_to_implement: |
This search requires Cisco Secure Firewall Threat Defense Logs, which
includes the FileEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
The malware & file access policy must also enable logging.
known_false_positives: |
Security testing or vulnerability scanners might trigger this. Investigate any potential
matches to determine if they're legitimate.
references:
- https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- https://nextjs.org/blog/CVE-2025-66478
- https://nvd.nist.gov/vuln/detail/CVE-2025-55182
- https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
- https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
drilldown_searches:
- name: View the detection results for - "$src_ip$" and "$dest_ip$"
search: '%original_detection_search% | search src_ip="$src_ip$" dest_ip="$dest_ip$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src_ip$" and "$dest_ip$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
rba:
message: Potential exploitation of CVE-2025-65554 from $src_ip$
risk_objects:
- field: dest_ip
type: system
score: 85
threat_objects:
- field: src_ip
type: system
tags:
analytic_story:
- React2Shell
asset_type: Endpoint
mitre_attack_id:
- T1190
product:
- Splunk Enterprise
- Splunk Enterprise Security
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/react2shell/react2shell.log
source: not_applicable
sourcetype: cisco:sfw:estreamer