# Emerging Threats 
#
# This distribution may contain rules under two different licenses. 
#
#  Rules with sids 1 through 3464, and 100000000 through 100000908 are under the GPLv2.
#  A copy of that license is available at http://www.gnu.org/licenses/gpl-2.0.html
#
#  Rules with sids 2000000 through 2799999 are from Emerging Threats and are covered under the BSD License 
#  as follows:
#
#*************************************************************
#  Copyright (c) 2003-2025, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#*************************************************************
#
#
#
#

# This Ruleset is EmergingThreats Open optimized for suricata-5.0-enhanced.

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT CA BrightStor ARCserve Mobile Backup LGSERVER.EXE Heap Corruption"; flow:established,to_server; content:"|4e 3d 2c 1b|"; depth:4; isdataat:2891,relative; reference:cve,2007-0449; classtype:attempted-admin; sid:2003369; rev:3; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT Computer Associates Mobile Backup Service LGSERVER.EXE Stack Overflow"; flow:established,to_server; content:"0000033000"; depth:10; isdataat:1000,relative; reference:url,www.milw0rm.com/exploits/3244; classtype:attempted-admin; sid:2003378; rev:3; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; classtype:attempted-admin; sid:2000048; rev:5; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype:attempted-admin; sid:2000031; rev:5; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype:attempted-admin; sid:2000049; rev:5; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; reference:url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; classtype:attempted-dos; sid:2000007; rev:7; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; threshold: type limit, track by_src, count 1, seconds 120; reference:url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype:attempted-dos; sid:2000005; rev:7; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"ET EXPLOIT UPnP DLink M-Search Overflow Attempt"; content:"M-SEARCH "; depth:9; nocase; isdataat:500,relative; pcre:"/M-SEARCH\s+[^\n]{500}/i"; reference:url,www.eeye.com/html/research/advisories/AD20060714.html; classtype:attempted-user; sid:2003039; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 427 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp"; content:"language"; content:"|65 7a 69 70 3a 2f 2f 62 6c 61 2f 62 6c 61 3f 53 4e 3d 62 6c 61 3f 50 4e 3d 62 6c 61 3f 55 4e 3d 62 6c 61|"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0767; classtype:successful-dos; sid:2007876; rev:2; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-1"; flow:established; content:"cwd"; depth:4; nocase; dsize:>74; pcre:"/(\/\.){70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; classtype:web-application-attack; sid:2008776; rev:3; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT GuildFTPd CWD and LIST Command Heap Overflow - POC-2"; flow:established; content:"list"; depth:5; nocase; dsize:>74; pcre:"/[\w]{70,}/i"; reference:url,milw0rm.com/exploits/6738; reference:cve,CVE-2008-4572; reference:bugtraq,31729; classtype:web-application-attack; sid:2008777; rev:3; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1530 (msg:"ET EXPLOIT HP Open View Data Protector Buffer Overflow Attempt"; flow:established,to_server; content:"|B6 29 8C 23 FF FF FF|"; pcre:"/\xB6\x29\x8C\x23\xFF\xFF\xFF[\xF8-\xFF]/"; reference:url,dvlabs.tippingpoint.com/advisory/TPTI-09-15; reference:cve,2007-2281; classtype:attempted-admin; sid:2010546; rev:3; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT IIS FTP Exploit - NLST Globbing Exploit"; flow:established,to_server; content:"NLST "; nocase; content:"|2a 2f 2e 2e 2f|"; reference:url,www.milw0rm.com/exploits/9541; reference:cve,2009-3023; classtype:attempted-admin; sid:2009860; rev:5; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; classtype:bad-unknown; sid:2001022; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; classtype:bad-unknown; sid:2001023; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; classtype:bad-unknown; sid:2001024; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; content:"sPLT"; isdataat:80,relative; content:!"|00|"; distance: 0; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001195; rev:9; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference:url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; classtype:shellcode-detect; sid:2001369; rev:7; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype:shellcode-detect; sid:2001363; rev:7; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference:url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype:shellcode-detect; sid:2001364; rev:7; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, >, 256, 60, little; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; classtype:misc-activity; sid:2001374; rev:8; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little; classtype:misc-attack; sid:2001668; rev:6; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001848; rev:7; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 691 (msg:"ET EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; nocase; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001849; rev:7; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001873; rev:9; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"ET EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference:cve,CAN-2005-0560; reference:url,isc.sans.org/diary.php?date=2005-04-12; reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:misc-activity; sid:2001874; rev:8; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT DOS Microsoft Windows SRV.SYS MAILSLOT"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|03|"; distance:21; content:"|01 00 00 00 00 00|"; distance:1; within:6; byte_test:2,=,17,0,little,relative; content:"|5C|MAILSLOT|5C|"; within:10; distance:2; reference:url,www.milw0rm.com/exploits/2057; reference:url,www.microsoft.com/technet/security/bulletin/MS06-035.mspx; classtype:attempted-dos; sid:2003067; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MSSQL Hello Overflow Attempt"; flow:established,to_server; dsize:>400; content:"|12 01 00 34 00 00 00 00|"; offset:0; depth:8; reference:cve,2002-1123; reference:bugtraq,5411; classtype:attempted-admin; sid:2002845; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype:attempted-user; sid:2000373; rev:7; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-admin; sid:2000377; rev:7; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08)"; dsize: >1; content:"|08|"; depth: 1; content:!"|3A|"; offset: 1; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:2000378; rev:8; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL DOS attempt (08) 1 byte"; dsize: 1; content:"|08|"; depth: 1; reference:url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype:attempted-dos; sid:2000379; rev:7; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $SQL_SERVERS 1434 (msg:"ET EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference:bugtraq,5411; classtype:attempted-admin; sid:2000380; rev:9; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_servicecontrol access"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|c|00|o|00|n|00|t|00|r|00|o|00|l|00|"; nocase; classtype:attempted-user; sid:2009999; rev:3; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_fileexist access"; flow:to_server,established; content:"x|00|p|00|_|00|f|00|i|00|l|00|e|00|e|00|x|00|i|00|s|00|t|00|"; nocase; classtype:attempted-user; sid:2010000; rev:3; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT MDAEMON (Post Auth) Remote Root IMAP FETCH Command Universal Exploit"; flow:established,to_server; content:"FLAGS BODY"; pcre:"/[0-9a-zA-Z]{200,}/R"; content:"|EB 06 90 90 8b 11 DC 64 90|"; distance:0; reference:url,www.milw0rm.com/exploits/5248; reference:bugtraq,28245; reference:cve,2008-1358; classtype:successful-user; sid:2008063; rev:3; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg:"ET EXPLOIT MySQL MaxDB Buffer Overflow"; flow: to_server,established; content:"GET"; content:"|31 c9 83 e9 af d9 ee|"; pcre:"/(GET).\/%.{1586,}/i"; classtype:attempted-admin; sid:2001988; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"ET EXPLOIT Possible Novell Groupwise Internet Agent CREATE Verb Stack Overflow Attempt"; flow:established,to_server; content:"|41 30 30 31|"; depth:4; content:"CREATE "; within:10; isdataat:500,relative; content:!"|0A|"; within:500; reference:url,www.exploit-db.com/exploits/14379/; reference:url,www.zerodayinitiative.com/advisories/ZDI-10-129/; reference:url,support.microfocus.com/kb/doc.php?id=7006374; classtype:attempted-admin; sid:2011235; rev:2; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexMetadata"; nocase; content:"sys.dbms_export_extension.get_domain_index_metadata"; nocase; reference:bugtraq,17699; classtype:attempted-admin; sid:2002886; rev:3; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_domain_index_tables Access"; flow:established,to_server; content:"sys.dbms_export_extension.get_domain_index_tables"; nocase; reference:bugtraq,17699; classtype:attempted-admin; sid:2002887; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ET EXPLOIT SYS get_v2_domain_index_tables Privilege Escalation Attempt"; flow:established,to_server; content:"ODCIIndexUtilGetTableNames"; nocase; content:"sys.dbms_export_extension.get_v2_domain_index_tables"; nocase; reference:bugtraq,17699; classtype:attempted-admin; sid:2002888; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"ET EXPLOIT Possible Oracle Database Text Component ctxsys.drvxtabc.create_tables Remote SQL Injection Attempt"; flow:established,to_server; content:"ctxsys|2E|drvxtabc|2E|create|5F|tables"; nocase; content:"dbms|5F|sql|2E|execute"; nocase; distance:0; pcre:"/ctxsys\x2Edrvxtabc\x2Ecreate\x5Ftables.+(SELECT|DELETE|CREATE|INSERT|UPDATE|OUTFILE)/si"; reference:url,www.securityfocus.com/bid/36748; reference:cve,2009-1991; classtype:attempted-admin; sid:2010375; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, cve CVE_2009_1991, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT FTP .message file write"; flow:to_server,established; content:"STOR "; nocase; depth:5; content:".message|0d 0a|"; distance:0; pcre:"/[^a-zA-Z0-9]+\.message/"; flowbits:set,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; classtype:misc-attack; sid:2003196; rev:7; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT ProFTPD .message file overflow attempt"; flowbits:isset,BE.ftp.message; flow:to_server,established; content:"CWD "; depth:4; nocase; flowbits:unset,BE.ftp.message; reference:url,www.milw0rm.com/exploits/2856; classtype:misc-attack; sid:2003197; rev:6; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; classtype:suspicious-login; sid:2000565; rev:8; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; classtype:suspicious-login; sid:2000566; rev:8; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 445"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; classtype:misc-attack; sid:2000564; rev:9; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump3e pwservice.exe Access port 139"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; classtype:misc-attack; sid:2000567; rev:8; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump.exe Service Started port 139"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; classtype:misc-activity; sid:2001053; rev:7; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump.exe Service Started port 445"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; classtype:misc-activity; sid:2001544; rev:7; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; classtype:misc-activity; sid:2001052; rev:8; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT NTDump Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; classtype:misc-activity; sid:2001543; rev:7; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 139 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 139"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; classtype:suspicious-login; sid:2001753; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Pwdump4 Session Established GetHash port 445"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; classtype:suspicious-login; sid:2001754; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Possible Vulnerable Server Response"; flow:established; dsize:12; content:"RFB 003.00"; depth:11; flowbits:noalert; flowbits:set,BSposs.vuln.vnc.svr; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; classtype:misc-activity; sid:2002912; rev:7; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Client response"; flowbits:isset,BSposs.vuln.vnc.svr; flow:established; dsize:12; content:"RFB 003.0"; depth:9; flowbits:noalert; flowbits:set,BSis.vnc.setup; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:2002913; rev:7; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:20; content:"|00 00 00 02|"; depth:4; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:2002914; rev:6; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server VNC Auth Offer - No Challenge string"; flowbits:isset,BSis.vnc.setup; flow:established; dsize:2; content:"|01 02|"; depth:2; flowbits:noalert; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:2002918; rev:6; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication"; flowbits:isset,BSis.vnc.setup; flow:established; content:"|01 01|"; depth:2; flowbits:set,BSvnc.auth.offered; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; classtype:misc-activity; sid:2002924; rev:7; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Server Not Requiring Authentication (case 2)"; flowbits:isset,BSis.vnc.setup; dsize:4; flow:established; content:"|00 00 00 01|"; depth:4; flowbits:set,BSvnc.auth.offered; reference:url,www.realvnc.com/docs/rfbproto.pdf; reference:cve,2006-2369; classtype:misc-activity; sid:2002923; rev:6; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Good Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:2; content:"|02|"; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:attempted-admin; sid:2002919; rev:7; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VNC Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:16; flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:attempted-admin; sid:2002915; rev:6; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VNC Multiple Authentication Failures"; flowbits:isset,BSvnc.auth.agreed; flow:established; dsize:<50; content:"|00 00 00 02|"; depth:4; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:attempted-admin; sid:2002921; rev:6; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT SQL sp_configure - configuration change"; flow:to_server,established; content:"s|00|p|00|_|00|c|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|e|00|"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; classtype:attempted-user; sid:2008517; rev:2; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT SQL sp_configure attempt"; flow:to_server,established; content:"sp_configure"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; classtype:attempted-user; sid:2008518; rev:2; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 4000 (msg:"ET EXPLOIT SecurityGateway 1.0.1 Remote Buffer Overflow"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"/SecurityGateway.dll"; nocase; distance:0; content:"logon"; nocase; distance:0; content:"&username"; nocase; distance:0; pcre:"/\x3d[^\x26]{720}/R"; reference:url,frsirt.com/english/advisories/2008/1717; reference:url,milw0rm.com/exploits/5718; reference:cve,2008-4193; classtype:misc-attack; sid:2008426; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt"; flow: established,to_server; content:"|68 61 63 6b 75|"; offset: 126; depth: 5; content:"|68 61 63 6b 90 61 61 61 61|"; offset: 519; depth: 9; reference:url,aluigi.altervista.org/adv/shixxbof-adv.txt; classtype:shellcode-detect; sid:2001385; rev:6; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris TTYPROMPT environment variable set"; flow: established,to_server; content:"|00 54 54 59 50 52 4F 4D 50 54|"; reference:url,online.securityfocus.com/archive/1/293844; classtype:attempted-admin; sid:2001780; rev:6; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack inbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:cve,2007-0882; classtype:attempted-user; sid:2003411; rev:8; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Solaris telnet USER environment vuln Attack outbound"; flow:to_server,established; content: "|ff fa 27 00 00 55 53 45 52 01 2d 66|"; rawbytes; reference:url,riosec.com/solaris-telnet-0-day; reference:url,isc.sans.org/diary.html?n&storyid=2220; reference:cve,2007-0882; classtype:attempted-user; sid:2003412; rev:4; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+|3A|\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; classtype:attempted-user; sid:2010877; rev:3; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Possible Sendmail SpamAssassin Milter Plugin Remote Arbitrary Command Injection Attempt"; flow:established,to_server; content:"to|3A|"; depth:10; nocase; content:"+\"|7C|"; distance:0; reference:url,www.securityfocus.com/bid/38578; reference:url,seclists.org/fulldisclosure/2010/Mar/140; classtype:attempted-user; sid:2010941; rev:1; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"ET EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference:url,www.idefense.com/application/poi/display?id=107; reference:cve,CAN-2004-0541; classtype:misc-attack; sid:2000342; rev:6; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Get"; content:"|01|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; classtype:non-standard-protocol; sid:2003198; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"ET EXPLOIT TFTP Invalid Mode in file Put"; content:"|02|"; depth:1; content:"|00|"; distance:1; content:"|00|"; distance:0; content:!"|00|binary|00|"; nocase; content:!"|00|netascii|00|"; nocase; content:!"|00|mail|00|"; nocase; classtype:non-standard-protocol; sid:2003199; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 14942 (msg:"ET EXPLOIT Trend Micro Web Interface Auth Bypass Vulnerable Cookie Attempt"; flow:established,to_server; content:"splx_2376_info"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=477; reference:url,www.trendmicro.com/download/product.asp?productid=20; classtype:attempted-admin; sid:2003434; rev:3; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; classtype:attempted-admin; sid:2002062; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, confidence Medium, signature_severity Critical, tag Metasploit, updated_at 2019_07_26;)

#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; classtype:attempted-recon; sid:2002068; rev:8; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt"; flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000 0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8 0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52; flowbits:set,SID2002181; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; classtype:default-login-attempt; sid:2002181; rev:5; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET 10000 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable"; flow:from_server,established; flowbits:isset,SID2002181; content:"|0000 0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|"; distance:4; within:12; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; classtype:misc-attack; sid:2002182; rev:5; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WMF Exploit"; flow:established; content:"|01 00 09 00 00 03 52 1f 00 00 06 00 3d 00 00 00|"; content:"|00 26 06 0f 00 08 00 ff ff ff ff 01 00 00 00 03 00 00 00 00 00|"; reference:url,www.frsirt.com/exploits/20051228.ie_xp_pfv_metafile.pm.php; classtype:attempted-user; sid:2002734; rev:5; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT Xerox WorkCentre PJL Daemon Buffer Overflow Attempt"; flow:established,to_server; content:"ENTER LANGUAGE ="; depth:50; nocase; isdataat:55,relative; content:!"|0A|"; within:55; pcre:"/ENTER\x20LANGUAGE\x20\x3D.{55}/smi"; reference:url,www.securityfocus.com/bid/38010; classtype:attempted-admin; sid:2010759; rev:2; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; sid:2002316; rev:7; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; flow:established; content:"Expires|3a|"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; sid:2002315; rev:7; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"|3b 00|"; content:"-|00|-|00|"; reference:url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference:url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype:attempted-user; sid:2000372; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2775 (msg:"ET EXPLOIT Now SMS/MMS Gateway SMPP BOF Vulnerability"; flow:established,to_server; content:"|00 00 00 04|"; content:"|00 00 00 01|"; distance:1; pcre:"/[a-zA-Z0-9]{1000,}/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; classtype:web-application-attack; sid:2007875; rev:4; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HOME_NET 445 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 445"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; classtype:misc-attack; sid:2000563; rev:11; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HOME_NET 139 -> any any (msg:"ET EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"|3a 00|5|00|0|00|0|3a|"; classtype:misc-attack; sid:2000568; rev:10; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated script"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/\xbc[\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack; sid:2003400; rev:4; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript download file"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/\xae[\xef\xcf][\xf0\xd0][\xe5\xc5][\xee\xce]\xa0\xa2[\xe7\xc7][\xe5\xc5][\xf4\xd4]\xa2/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack; sid:2003401; rev:5; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript execute command"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/[\xf3\xd3][\xe8\xc8][\xe5\xc5][\xec\xcc][\xec\xcc][\xe5\xc5][\xf8\xd8][\xe5\xc5][\xe3\xc3][\xf5\xd5][\xf4\xd4][\xe5\xc5]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack; sid:2003402; rev:5; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT US-ASCII Obfuscated VBScript"; flow:established,from_server; content:"US-ASCII"; nocase; pcre:"/[\xf6\xd6][\xe2\xc2][\xf3\xd3][\xe3\xc3][\xf2\xd2][\xe9\xc9][\xf0\xd0][\xf4\xd4]/"; reference:url,www.internetdefence.net/2007/02/06/Javascript-payload; reference:cve,2006-3227; reference:url,www.securityfocus.com/archive/1/437948/30/0/threaded; classtype:web-application-attack; sid:2003403; rev:4; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)

#alert http any $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java runtime.exec() call"; flow:from_server,established; content:"|52 75 6e 74 69 6d 65 3b 01 00 04 65 78 65 63 01 00|"; reference:url,www.mullingsecurity.com; classtype:trojan-activity; sid:2002783; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java private function call sun.misc.unsafe"; flow:from_server,established; content:"sun/misc/Unsafe"; reference:url,www.mullingsecurity.com; classtype:trojan-activity; sid:2002784; rev:4; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT GsecDump executed"; flow:to_server,established; content:"|67 00 73 00 65 00 63 00 64 00 75 00 6d 00 70 00 2e 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-gsecdump.html; classtype:suspicious-filename-detect; sid:2010783; rev:3; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 50002 (msg:"ET EXPLOIT Possible Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"<!DOCTYPE"; nocase; distance:0; content:"<!ENTITY"; nocase; distance:0; content:"<soapenv|3A|Envelope"; nocase; distance:0; content:"<ns1|3A|Username>"; nocase; distance:0; flowbits:set,ET.etrust.fieldis; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011502; rev:1; metadata:created_at 2010_09_27, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible IIS FTP Exploit attempt - Large SITE command"; flow:established,to_server; content:"SITE "; nocase; isdataat:150,relative; content:!"|0d 0a|"; within:150; reference:url,www.milw0rm.com/exploits/9541; reference:cve,2009-3023; classtype:attempted-admin; sid:2009828; rev:6; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8800 (msg:"ET EXPLOIT Now SMS/MMS Gateway HTTP BOF Vulnerability"; flow:established,to_server; content:"GET "; depth:4; content:"Authorization|3a|"; distance:0; content:"Basic"; distance:0; pcre:"/Authorization\x3a\s*Basic\s*[a-zA-Z0-9]{255,}==/i"; reference:bugtraq,27896; reference:url,aluigi.altervista.org/adv/nowsmsz-adv.txt; classtype:web-application-attack; sid:2007874; rev:6; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert http any any -> $HOME_NET 8765 (msg:"ET EXPLOIT JDownloader Webinterface Source Code Disclosure"; flow:established,to_server; content:"|2f|index|2e|tmpl"; depth:80; nocase; pcre:"/\x2findex\x2etmpl(\x3a\x3a\x24DATA|\x2f|\x2e)\x0d\x0a/i"; reference:url,packetstormsecurity.org/files/view/96126/jdownloader-disclose.txt; classtype:attempted-recon; sid:2012055; rev:2; metadata:created_at 2010_12_15, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RetroGuard Obfuscated JAR likely part of hostile exploit kit"; flow:established,from_server; content:"classPK"; content:"|20|by|20|RetroGuard|20|Lite|20|"; reference:url,www.retrologic.com; classtype:exploit-kit; sid:2012518; rev:2; metadata:created_at 2011_03_17, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:2; metadata:created_at 2011_03_31, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack Binary Load Request"; flow:established,to_server; content:".php?sex="; nocase; http_uri; content:"&children="; nocase; http_uri; content:"&userid="; nocase; http_uri; pcre:"/\.php\?sex=\d+&children=\d+&userid=/U"; classtype:trojan-activity; sid:2012687; rev:2; metadata:created_at 2011_04_13, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"GPL EXPLOIT xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:2101987; rev:8; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101900; rev:11; metadata:created_at 2010_09_23, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:2101901; rev:11; metadata:created_at 2010_09_23, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101894; rev:9; metadata:created_at 2010_09_23, cve CVE_2002_1226, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101895; rev:9; metadata:created_at 2010_09_23, cve CVE_2002_1226, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101896; rev:9; metadata:created_at 2010_09_23, cve CVE_2002_1226, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101897; rev:9; metadata:created_at 2010_09_23, cve CVE_2002_1226, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 2"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101898; rev:9; metadata:created_at 2010_09_23, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"GPL EXPLOIT kadmind buffer overflow attempt 3"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:2101899; rev:9; metadata:created_at 2010_09_23, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22 60|"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:2101821; rev:9; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"GPL EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:2101838; rev:9; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"GPL EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:2101751; rev:8; metadata:created_at 2010_09_23, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"GPL EXPLOIT xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2101759; rev:6; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Eleonore Exploit Pack exemple.com Request"; flow:established,to_server; content:"/exemple.com/"; nocase; http_uri; classtype:trojan-activity; sid:2012940; rev:2; metadata:created_at 2011_06_07, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:2101661; rev:5; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT formmail arbitrary command execution attempt"; flow:to_server,established; content:"/formmail"; nocase; http_uri; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:2101610; rev:13; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Attempt applet via file URI setAttribute"; flow:established,from_server; content:"setAttribute("; content:"C|3a 5c 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013066; rev:3; metadata:created_at 2011_06_17, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:2100312; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2011-2110 Flash Exploit Attempt Embedded in Web Page"; flow:established,to_client; content:"<param name="; nocase; content:"value="; nocase; distance:0; content:"|2E|swf?info="; fast_pattern; nocase; distance:0; pcre:"/value\x22[^\x22]*\x2Eswf\x3finfo\x3D/smi"; reference:url,stopmalvertising.com/malware-reports/all-ur-swf-bel0ng-2-us-analysis-of-cve-2011-2110.html; reference:bid,48268; reference:cve,2011-2110; classtype:attempted-user; sid:2013137; rev:3; metadata:created_at 2011_06_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2011-2110 Flash Exploit Attempt"; flow:established,to_server; content:"GET /"; depth:5; content:".swf?info=02"; http_uri; reference:url,www.shadowserver.org/wiki/pmwiki.php/Calendar/20110617; classtype:trojan-activity; sid:2013065; rev:4; metadata:created_at 2011_06_17, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via GET"; flow:established,to_server; content:"/xslt?PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; http_uri; content:"&PASSWORD="; http_uri; distance:0; content:"&PASSWORD_CONF="; http_uri; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013165; rev:2; metadata:created_at 2011_07_01, signature_severity Major, updated_at 2019_07_26;)

#alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VSFTPD Backdoor User Login Smiley"; flow:established,to_server; content:"USER "; depth:5; content:"|3a 29|"; distance:0; classtype:attempted-admin; sid:2013188; rev:5; metadata:created_at 2011_07_05, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP OpenView Network Node Manager Toolbar.exe CGI Buffer Overflow Attempt"; flow:established,to_server; content:"/OvCgi/Toolbar.exe?"; http_uri; content:"/OvCgi/Toolbar.exe?"; isdataat:1024,relative; content:!"|0A|"; within:1024; reference:url,exploit-db.com/exploits/17536/; classtype:web-application-attack; sid:2013288; rev:3; metadata:created_at 2011_07_19, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 13364 (msg:"ET EXPLOIT RXS-3211 IP Camera Password Information Disclosure Attempt"; content:"|FF FF FF FF FF FF 00 06 FF F9|"; reference:bid,47976; classtype:attempted-admin; sid:2012866; rev:2; metadata:created_at 2011_05_26, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:3; metadata:created_at 2011_05_28, signature_severity Major, updated_at 2019_07_26;)

#alert ssh $HOME_NET any -> any any (msg:"ET EXPLOIT FreeBSD OpenSSH 3.5p1 possible vulnerable server"; flow:established,from_server; content:"SSH-1.99-OpenSSH_3.5p1 FreeBSD-200"; reference:url,packetstormsecurity.org/files/view/102683/ssh_preauth_freebsd.txt; reference:url,seclists.org/2011/Jul/6; classtype:misc-activity; sid:2013167; rev:4; metadata:created_at 2011_07_01, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"GPL EXPLOIT Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:2103453; rev:2; metadata:created_at 2010_09_23, malware_family Arkei, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Obfuscated Base64 in Javascript probably Scalaxy exploit kit"; flow:established,from_server; content:!"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; content:"|2b 2f 3d 22 3b|"; fast_pattern; content:"<<18|7c|"; within:500; content:"<<12|7c|"; within:13; content:"<<6|7c|"; within:13; classtype:exploit-kit; sid:2014027; rev:2; metadata:created_at 2011_12_13, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PDF served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; content:".pdf"; http_uri; pcre:"/\/tmp\/[^\/]+\.pdf$/U"; classtype:exploit-kit; sid:2011972; rev:3; metadata:created_at 2010_11_24, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JAR served from /tmp/ could be Phoenix Exploit Kit"; flow:established,to_server; content:"/tmp/"; http_uri; fast_pattern; content:".jar"; http_uri; pcre:"/\/tmp\/[^\/]+\.jar$/U"; classtype:exploit-kit; sid:2011973; rev:3; metadata:created_at 2010_11_24, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP OpenView Network Node Manager OvJavaLocale Cookie Value Buffer Overflow Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/OvCgi/webappmon.exe"; http_uri; nocase; content:"ins=nowait"; nocase; http_uri; content:"cache="; nocase; content:"OvJavaLocale="; nocase; within:15; isdataat:1000,relative; content:!"|0A|"; within:1000; reference:url,www.coresecurity.com/content/hp-nnm-ovjavalocale-buffer-overflow; reference:bugtraq,42154; reference:cve,2010-2709; classtype:web-application-attack; sid:2011328; rev:4; metadata:created_at 2010_09_28, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL EXPLOIT CVS non-relative path access attempt"; flow:to_server,established; content:"Argument "; content:"Directory"; distance:0; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102318; rev:5; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL EXPLOIT rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102113; rev:4; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL EXPLOIT rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2102047; rev:3; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2102039; rev:7; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"SWF"; fast_pattern:only; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012621; rev:4; metadata:created_at 2011_04_01, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102552; rev:5; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102553; rev:5; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102554; rev:5; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102555; rev:5; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; nocase; isdataat:432,relative; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102556; rev:6; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102557; rev:5; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102558; rev:5; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102559; rev:5; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"GPL EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2102560; rev:5; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 bf 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.milw0rm.com/exploits/3604; classtype:attempted-admin; sid:2003518; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe caloggerd DoS"; flow:established,to_server; content:"|00 06 09 82|"; offset:16; depth:4; content:"|00 00 00 01 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3939; classtype:attempted-dos; sid:2003750; rev:4; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024:65535 (msg:"ET EXPLOIT CA Brightstor ARCServe Mediasvr DoS"; flow:established,to_server; content:"|00 06 09 7e|"; offset:16; depth:4; content:"|00 00 00 7e 00 00 00 00 00 00 00 00|"; within:12; reference:url,www.milw0rm.com/exploits/3940; classtype:attempted-dos; sid:2003751; rev:4; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 5168 (msg:"ET EXPLOIT TrendMicro ServerProtect Exploit possible worma(little-endian DCERPC Request)"; flow:established,to_server; dsize:>1000; content:"|05|"; depth:1; content:"|10 00 00 00|"; distance:3; within:4; content:"|00 00 88 88 28 25 5b bd d1 11 9d 53 00 80 c8 3a 5c 2c 04 00 03 00|"; distance:14; within:22; content:"|1c 13 74 65|"; distance:500; reference:url,isc.sans.org/diary.html?storyid=3310; classtype:misc-attack; sid:2007584; rev:7; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; content:".pdf|00|"; http_uri; reference:url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference:url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference:cve,2004-0629; classtype:attempted-admin; sid:2001217; rev:11; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any any -> $HOME_NET 3389 (msg:"ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|7f 65 82 01 94|"; distance:24; within:5; content:"|30 19|"; distance:9; within:2; byte_test:1,<,6,3,relative; reference:url,msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; classtype:attempted-admin; sid:2014383; rev:2; metadata:created_at 2012_03_13, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java Rhino Exploit Attempt - evilcode.class"; flow:established,to_client; content:"code=|22|evilcode.class|22|"; nocase; fast_pattern:only; reference:cve,2011-3544; classtype:attempted-user; sid:2014429; rev:5; metadata:created_at 2012_03_26, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"ET EXPLOIT Arkeia full remote access without password or authentication"; flow:to_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference:url,metasploit.com/research/vulns/arkeia_agent; classtype:attempted-admin; sid:2001742; rev:9; metadata:created_at 2010_07_30, malware_family Arkei, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-pwdump4.html; classtype:suspicious-filename-detect; sid:2008444; rev:3; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; reference:url,xinn.org/Snort-pwdump6.html; classtype:suspicious-filename-detect; sid:2008445; rev:3; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"|2F|requests|2F|status|2E|xml|3F|"; http_uri; nocase; content:"input|3D|smb|3A 2F|"; http_uri; nocase; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; classtype:web-application-attack; sid:2009511; rev:7; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; classtype:attempted-user; sid:2011242; rev:3; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:exploit-kit; sid:2014891; rev:1; metadata:created_at 2012_06_14, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100571; rev:9; metadata:created_at 2010_09_23, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT BMP with invalid bfOffBits"; flow:established,to_client; content:"|0d 0a 0d 0a|BM"; fast_pattern; byte_test:4,>,14,0,relative; content:"|0000000000000000|"; distance:4; within:8; reference:url,www.microsoft.com/technet/security/Bulletin/ms06-005.mspx; reference:cve,2006-0006; reference:bugtraq,16633; classtype:attempted-user; sid:2002803; rev:10; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2; metadata:created_at 2012_07_24, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3; metadata:created_at 2012_07_24, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2; metadata:created_at 2012_07_24, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:2100600; rev:8; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100679; rev:7; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100676; rev:7; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100695; rev:10; metadata:created_at 2010_09_23, confidence Low, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2100687; rev:6; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:2103274; rev:4; metadata:created_at 2010_09_23, cve CVE_2001_0797, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:2100884; rev:17; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2102486; rev:6; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102380; rev:5; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102376; rev:4; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102379; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102414; rev:10; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102377; rev:4; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102415; rev:10; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; nocase; classtype:web-application-attack; sid:2101340; rev:8; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:2100824; rev:15; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102464; rev:8; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102462; rev:8; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102463; rev:8; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:2101111; rev:13; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:2101059; rev:7; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:2101261; rev:12; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:2100607; rev:6; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:2100302; rev:10; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:2101398; rev:11; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"|21 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; classtype:misc-attack; sid:2007933; rev:8; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101327; rev:8; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; classtype:web-application-attack; sid:2003145; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; classtype:web-application-attack; sid:2003146; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; classtype:web-application-attack; sid:2003148; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; classtype:web-application-attack; sid:2003147; rev:5; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103199; rev:5; metadata:created_at 2010_09_23, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"|61 00 09 00 08 00 07 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; classtype:misc-attack; sid:2007934; rev:7; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> 209.139.208.0/23 any (msg:"ET EXPLOIT Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:2; metadata:created_at 2012_10_12, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4; metadata:created_at 2012_12_06, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016018; rev:2; metadata:created_at 2012_12_12, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_13, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace)"; flow:established,from_server; file_data; content:"jj2Ejj6Cjj6Fjj63jj61jj74jj69jj6Fjj6Ejj20jj3Djj20jj75jj6Ejj65jj73jj63jj61jj70jj65jj28jj22jj25jj75"; nocase; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016133; rev:3; metadata:created_at 2012_12_30, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - tcp"; flow:established,to_server; content:"|12 06 41 46 50 33 2e 31|"; pcre:"/[a-zA-Z0-9]{5}/i"; reference:bugtraq,27718; reference:url,aluigi.altervista.org/adv/ezipirla-adv.txt; reference:cve,CVE-2008-0759; classtype:successful-dos; sid:2007877; rev:4; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 14000 (msg:"ET EXPLOIT Borland VisiBroker Smart Agent Heap Overflow"; content:"|44 53 52 65 71 75 65 73 74|"; pcre:"/[0-9a-zA-Z]{50}/R"; reference:bugtraq,28084; reference:url,aluigi.altervista.org/adv/visibroken-adv.txt; classtype:successful-dos; sid:2007937; rev:4; metadata:created_at 2010_07_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"ET EXPLOIT Siemens Gigaset SE361 WLAN Data Flood Denial of Service Vulnerability"; flow:to_server; content:"|90 90 90 90 90|"; depth:5; content:"|90 90 90 90 90|"; distance:0; content:"|90 90 90 90 90|"; distance:0; pcre:"/\x90{200}/"; reference:cve,CVE-2009-3322; reference:bugtraq,36366; reference:url,www.milw0rm.com/exploits/9646; classtype:denial-of-service; sid:2009976; rev:4; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/^\s+A{500}/R"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:5; metadata:created_at 2012_12_04, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit js_property_spray sprayHeap"; flow:established,from_server; file_data; content:"sprayHeap"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016519; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_03_05, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit mstime_malloc no-spray"; flow:established,from_server; file_data; content:"mstime_malloc"; nocase; pcre:"/^[\r\n\s]*?\x28[^\x29]*?shellcode/Ri"; reference:url,community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation; classtype:attempted-user; sid:2016824; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_05_07, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_07_26;)

alert udp any any -> $HOME_NET [623,664] (msg:"ET EXPLOIT IPMI Cipher 0 Authentication mode set"; content:"|07 06 10 00 00 00 00 00 00 00 00|"; offset:3; depth:11; content:"|00 00|"; distance:2; within:2; content:"|00 00 00 08 00 00 00 00 01 00 00 08 00 00 00 00 02 00 00 08 00 00 00 00|"; distance:6; within:24; reference:url,www.intel.com/content/dam/www/public/us/en/documents/product-briefs/second-gen-interface-spec-v2.pdf; reference:url,community.rapid7.com/community/metasploit/blog/2013/06/23/a-penetration-testers-guide-to-ipmi; classtype:attempted-admin; sid:2017094; rev:3; metadata:created_at 2013_07_04, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT DRIVEBY Rawin - Java Exploit -dubspace.jar"; flow:established,to_server; content:"/dubspace.jar"; http_uri; classtype:trojan-activity; sid:2017178; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2013_07_24, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Wscript Shell Run Attempt - Likely Hostile"; flow:established,to_server; content:"WScript.Shell"; nocase; content:".Run"; nocase; within:100; pcre:"/[\r\n\s]+(?P<var1>([a-z]([a-z0-9_])*|_+([a-z0-9])([a-z0-9_])*))[\r\n\s]*\x3d[\r\n\s]*CreateObject\(\s*[\x22\x27]Wscript\.Shell[\x27\x22]\s*\).+?(?P=var1)\.run/si"; classtype:attempted-user; sid:2017205; rev:2; metadata:created_at 2013_07_27, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sakura - Java Exploit Recieved - Atomic"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Main-Class|3a| atomic.Atomic"; classtype:trojan-activity; sid:2017506; rev:2; metadata:created_at 2013_09_24, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS  [25,587] (msg:"ET EXPLOIT Microsoft Outlook/Crypto API X.509 oid id-pe-authorityInfoAccessSyntax design bug allow blind HTTP requests attempt"; flow:to_server,established; content:"multipart/signed|3B|"; nocase; content:"application/pkcs7-signature|3B|"; nocase; distance:0; content:"|0A|QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB|0D|"; distance:0; reference:cve,2013-3870; reference:url,www.microsoft.com/technet/security/bulletin/MS13-068.mspx; reference:url,blog.nruns.com/blog/2013/11/12/A-portscan-by-email-Alex; classtype:attempted-admin; sid:2017712; rev:10; metadata:created_at 2013_11_14, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit 2013-3346"; flow:established,from_server; file_data; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<</"; pcre:"/^(?:L|#4c)(?:e|#65)(?:n|#6e)(?:g|#67)(?:t|#74)(?:h|#68)\x20\d+?\/(?:F|#46)(?:i|#69)(?:l|#6c)(?:t|#74)(?:e|#65)(?:r|#72)\[\/(?:F|#46)(?:l|#6c)(?:a|#61)(?:t|#74)(?:e|#65)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\/(?:A|#41)(?:S|#53)(?:C|#43)(?:I|#49){2}(?:H|#48)(?:e|#65)(?:x|#78)(?:D|#44)(?:e|#65)(?:c|#63)(?:o|#6f)(?:d|#64)(?:e|#65)\]>>/Rs"; content:"5 0 R>>|0a|endobj|0a|5 0 obj |0a|<<"; pcre:"/^(?:(?!>>).)+?#(?:[46][1-9a-fA-F]|[57][\daA])/Rs"; classtype:attempted-admin; sid:2017900; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_07_26;)

alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Little Endian)"; flow:established,to_server; content:"MMcS"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017923; rev:2; metadata:created_at 2014_01_04, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> any 32764 (msg:"ET EXPLOIT MMCS service (Big Endian)"; flow:established,to_server; content:"ScMM"; depth:4; isdataat:9,relative; reference:url,github.com/elvanderb/TCP-32764; classtype:web-application-attack; sid:2017924; rev:2; metadata:created_at 2014_01_04, signature_severity Major, updated_at 2019_07_26;)

alert http $HOME_NET 8083 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys Failed Upgrade BackDoor Access (Server Response)"; flow:from_server,established; file_data; content:"Utopia_Init|3a 20|SUCCEEDED"; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018160; rev:3; metadata:created_at 2014_02_19, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CritX/SafePack/FlashPack CVE-2013-2551"; flow:established,from_server; file_data; content:"#default#VML"; content:"stroke"; content:"%66%75%6e%63%74%69%6f%6e"; nocase; content:"%66%72%6f%6d%43%68%61%72%43%6f%64%65"; content:"%63%68%61%72%41%74"; fast_pattern:only; classtype:exploit-kit; sid:2018235; rev:2; metadata:created_at 2014_03_08, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|09 01|"; offset:18; depth:2; content:"|00 03|"; distance:10; within:2; byte_jump:2,2,relative,big; content:"|00 00|"; within:2; byte_test:2,>,512,0,relative,big; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; classtype:attempted-admin; sid:2002061; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2010_07_30, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, confidence Medium, signature_severity Critical, tag Metasploit, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta PDF Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"%PDF"; within:1024; classtype:exploit-kit; sid:2018408; rev:2; metadata:created_at 2014_04_23, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fiesta Flash Exploit Download"; flow:established,from_server; flowbits:isset,ET.Fiesta.Exploit.URI; file_data; content:"ZWS"; within:3; classtype:exploit-kit; sid:2018410; rev:2; metadata:created_at 2014_04_23, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Common Bad Actor Indicators Used in Various Targeted 0-day Attacks"; flow:from_server,established; file_data; content:"dword2data"; fast_pattern; pcre:"/^\s*?\(/Rs"; content:"function"; pcre:"/^\s*?fun\s*?\(/Rs"; content:"CollectGarbage"; reference:cve,2014-0322; reference:cve,2014-1776; classtype:trojan-activity; sid:2018439; rev:4; metadata:created_at 2014_04_30, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT libPNG - Width exceeds limit"; flow:established,from_server; file_data; content:"|89 50 4E 47 0D 0A 1A 0A|"; depth:8; byte_test:4,>,0x80000000,8,relative,big,string,hex; reference:url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype:misc-activity; sid:2001191; rev:13; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; content:"/cgi-bin/jammail.pl?"; nocase; http_uri; fast_pattern:only; pcre:"/[\?&]mail=[^&]+?[\x3b\x2c\x7c\x27]/Ui"; reference:bugtraq,13937; classtype:web-application-attack; sid:2001990; rev:7; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Technique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:3; metadata:created_at 2012_12_06, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:cve,CAN-2004-0597; classtype:attempted-admin; sid:2001058; rev:10; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Tools Update OS Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"exec|3A|"; nocase; content:"args|3A|"; nocase; distance:0; content:"UpgradeTools_Task"; distance:0; reference:url,www.exploit-db.com/exploits/15717/; reference:cve,2010-4297; classtype:attempted-admin; sid:2012045; rev:5; metadata:created_at 2010_12_11, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit FireFox WebIDL Privileged Javascript Injection"; flow:from_server,established; file_data; content:".atob(String.fromCharCode("; pcre:"/^(?:90|0x5a|0+?132)\s*?,\s*?(?:71|0x47|0+?107)\s*?,\s*?(?:70|0x46|0+?106)\s*?,\s*?(?:48|0x30|0+?60)\s*?,\s*?(?:89|0x59|0+?131)\s*?,\s*?(?:84|0x54|0+?124)\s*?,\s*?(?:112|0x70|0+?160)/Rsi"; reference:url,www.exploit-db.com/exploits/34448/; classtype:trojan-activity; sid:2019085; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_07_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Driveby Bredolab - client exploited by acrobat"; flow:established,to_server; content:"?reader_version="; http_uri; content:"&exn=CVE-"; http_uri; classtype:trojan-activity; sid:2011797; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2010_10_09, deployment Perimeter, signature_severity Major, tag DriveBy, updated_at 2019_07_26;)

alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful TCP Map to External Network"; dsize:16; content:"|82 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019491; rev:2; metadata:created_at 2014_10_22, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert udp $HOME_NET 5351 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response Successful UDP Map to External Network"; dsize:16; content:"|81 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019492; rev:2; metadata:created_at 2014_10_22, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Fiesta Java Exploit/Payload URI Struct"; flow:established,to_server; urilen:68<>101; content:"Java/1."; http_user_agent; fast_pattern; content:!"="; http_uri; content:!"&"; http_uri; pcre:"/\/\??[a-f0-9]{60,}(?:\x3b\d+){1,4}$/U"; classtype:exploit-kit; sid:2019611; rev:8; metadata:created_at 2014_10_31, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Fiesta SilverLight 4.x Exploit URI Struct"; flow:established,to_server; urilen:>68; content:"|3b|4"; http_uri; offset:60; pcre:"/\/\??[a-f0-9]{60,}\x3b4[0-1]\d{5}$/U"; classtype:exploit-kit; sid:2019623; rev:2; metadata:created_at 2014_11_03, signature_severity Major, updated_at 2019_07_26;)

#alert http $HOME_NET any -> [216.157.99.0/24,72.51.32.0/20,76.74.152.0/21] any (msg:"ET EXPLOIT Possible HanJuan Flash Exploit"; flow:to_server,established; content:".swf"; http_uri; fast_pattern:only; pcre:"/^\/(?:[a-z0-9]{3,7}\/)?[a-z]{3,7}\.swf$/U"; classtype:trojan-activity; sid:2019674; rev:2; metadata:created_at 2014_11_07, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Outbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017800; rev:2; metadata:created_at 2013_12_05, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT Zollard PHP Exploit Telnet Inbound"; flow:to_server,established; content:"/var/run/.zollard/"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:attempted-user; sid:2017799; rev:2; metadata:created_at 2013_12_05, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 DECS2"; flow:established,from_server; file_data; content:"102,117,110,99,116,105,111,110,32,114,117,110,109,117,109,97,97"; classtype:trojan-activity; sid:2020460; rev:4; metadata:created_at 2015_02_18, cve CVE_2014_6332, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 19|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020661; rev:3; metadata:created_at 2015_03_11, cve CVE_2015_0204, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect"; flow:from_server,established; file_data; content:"misc_addons_detect.hasSilverlight"; classtype:trojan-activity; sid:2017810; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_06, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Browser Exploit Server Plugin Detect 2"; flow:from_server,established; file_data; content:"var os_name|3b|"; content:"var os_vendor|3b|"; content:"var os_device|3b|"; content:"var os_flavor|3b|"; classtype:trojan-activity; sid:2020755; rev:2; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY \x27\x5fntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:7; metadata:created_at 2012_12_06, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $HOME_NET 50002 -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Etrust Secure Transaction Platform Identification and Entitlements Server File Disclosure Attempt"; flowbits:isset,ET.etrust.fieldis; flow:established,from_server; content:"<soap|3A|faultstring>Unknown user"; reference:url,shh.thathost.com/secadv/2009-06-15-entrust-ies.txt; reference:url,securitytracker.com/alerts/2010/Sep/1024391.html; classtype:misc-attack; sid:2011503; rev:3; metadata:created_at 2010_09_27, signature_severity Major, updated_at 2019_07_26;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M1"; content:"|01 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; reference:cve,2015-5477; classtype:attempted-dos; sid:2021572; rev:3; metadata:created_at 2015_08_01, cve CVE_2015_5477, confidence Medium, signature_severity Major, updated_at 2023_05_24;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M3"; content:"|00 00 00 01 00 01|"; depth:6; offset:2; pcre:"/^.{4}[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; reference:cve,2015-5477; classtype:attempted-dos; sid:2021574; rev:3; metadata:created_at 2015_08_01, cve CVE_2015_5477, confidence Medium, signature_severity Major, updated_at 2023_05_24;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M4"; content:"|00 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; reference:cve,2015-5477; classtype:attempted-dos; sid:2021575; rev:4; metadata:created_at 2015_08_01, cve CVE_2015_5477, confidence Medium, signature_severity Major, updated_at 2023_05_24;)

alert udp any any -> any 53 (msg:"ET EXPLOIT Possible BIND9 DoS CVE-2015-5477 M2"; content:"|01 00 00 01|"; depth:4; offset:2; content:"|00 01|"; distance:4; within:2; pcre:"/^[^\x00]+\x00/R"; content:"|00 f9|"; within:2; fast_pattern; pcre:"/^..[^\x00]+\x00/Rs"; content:!"|00 f9|"; within:2; threshold: type limit, track by_src, seconds 60, count 1; reference:cve,2015-5477; classtype:attempted-dos; sid:2021573; rev:4; metadata:created_at 2015_08_01, cve CVE_2015_5477, confidence Medium, signature_severity Major, updated_at 2023_05_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"getEnvInfo"; content:"getPlatform"; content:"<embed"; pcre:"/^(?=[^>]*?\ssrc\s*?=\s*?[\x22\x27][^\x22\x27]*?\.swf[\x22\x27])(?=[^>]*?\swidth\s*?=\s*?[\x22\x27]0[\x22\x27])[^>]*?\sheight\s*?=\s*?[\x22\x27]0[\x22\x27]/Ri"; classtype:trojan-activity; sid:2021595; rev:2; metadata:created_at 2015_08_04, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M2"; flow:established,from_server; file_data; content:"|77 69 6e 64 6f 77 73 5f 73 65 61 72 63 68 5f 61 6e 64 5f 75 70 6c 6f 61 64 5f 69 6e 5f 61 70 70 5f 64 61 74 61 5f 62 79 5f 64 69 73 6b|"; nocase; content:"|64 71 2e 61 77 61 69 74 41 6c 6c 28 63 61 6c 6c 62 61 63 6b 29|"; nocase; reference:url,nakedsecurity.sophos.com/2015/08/07/firefox-zero-day-hole-used-against-windows-and-linux-to-steal-passwords/; reference:cve,2015-4495; classtype:attempted-user; sid:2021606; rev:2; metadata:created_at 2015_08_11, cve CVE_2015_4495, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HT SWF Exploit RIP M2"; flow:established,from_server; file_data; content:"<!-- saved from url=(0014)about|3a|internet -->"; content:"return navigator.appName"; content:"return navigator.platform|3b|"; content:"clsid|3a|D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; classtype:trojan-activity; sid:2021710; rev:2; metadata:created_at 2015_08_25, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - ROP"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"|98 2A 00 B0 B3 38 00 B0|"; fast_pattern; content:"|00 10 00 00 07 00 00 00 03 D0 00 D0 04 D0 00 D0 44 11 00 B0|"; distance:4; within:20; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021758; rev:2; metadata:created_at 2015_09_10, cve CVE_2015_1538, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - STSC"; flow:established,from_server; file_data; content:"stsc|00 00 00 00 C0 00 00 03|"; fast_pattern; content:!"|00 00 00 00|"; within:4; pcre:"/^(?P<addr1>.{4})(?P<addr2>.{4})(?P=addr2)(?P=addr1)/Rsi"; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021759; rev:2; metadata:created_at 2015_09_10, cve CVE_2015_1538, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"ET EXPLOIT malformed Sack - Snort DoS-by-$um$id"; seq:0; ack:0; window:65535; dsize:0; classtype:attempted-dos; sid:2002656; rev:5; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 1"; flow:established,from_server; file_data; content:"cHJvZ3Jlc3MtY2xhc3"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021986; rev:2; metadata:created_at 2015_10_21, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 2"; flow:established,from_server; file_data; content:"Byb2dyZXNzLWNsYXNz"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021987; rev:2; metadata:created_at 2015_10_21, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible click2play bypass Oct 19 2015 B64 3"; flow:established,from_server; file_data; content:"wcm9ncmVzcy1jbGFzc"; pcre:"/^[A-Za-z0-9+/]*?(?:amF2YXgubmFtaW5nLkluaXRpYWxDb250ZXh0|phdmF4Lm5hbWluZy5Jbml0aWFsQ29udGV4d|qYXZheC5uYW1pbmcuSW5pdGlhbENvbnRleH)/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-headaches-how-the-pawn-storm-zero-day-evaded-javas-click-to-play-protection/; classtype:trojan-activity; sid:2021988; rev:2; metadata:created_at 2015_10_21, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Calling Common Collection Function"; flow:to_server,established; content:"rO0ABXNyA"; content:"jb21tb25zLmNvbGxlY3Rpb25z"; fast_pattern; distance:0; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022114; rev:1; metadata:created_at 2015_11_17, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"java/io/Serializable"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022116; rev:1; metadata:created_at 2015_11_17, confidence Medium, signature_severity Major, tag possible_exploitation, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Groovy Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.codehaus.groovy.runtime.ConversionHandler"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022117; rev:1; metadata:created_at 2015_11_17, confidence Medium, signature_severity Major, tag possible_exploitation, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Serialized Spring Java Object Generated by ysoserial"; flow:to_server,established; content:"|ac ed 00 05 73 72 00|"; fast_pattern; content:"org.springframework.core.SerializableTypeWrapper"; nocase; distance:0; content:"ysoserial/payloads/util/Gadgets"; reference:url,github.com/foxglovesec/JavaUnserializeExploits; classtype:misc-activity; sid:2022118; rev:1; metadata:created_at 2015_11_17, confidence Medium, signature_severity Major, tag possible_exploitation, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:5; metadata:created_at 2011_03_15, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Phoenix Java MIDI Exploit Received By Vulnerable Client"; flow:established,to_client; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013484; rev:4; metadata:created_at 2011_08_29, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Phoenix Java MIDI Exploit Received"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/javax.sound.midi.spi.MidiDeviceProvider"; classtype:bad-unknown; sid:2013485; rev:4; metadata:created_at 2011_08_29, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Crimepack Java exploit attempt(2)"; flow:from_server,established; file_data; content:"PK"; content:"META-INF/MANIFEST"; within:50; content:"PK"; within:150; nocase; content:"Exploit|24 31 24 31 2E|class"; distance:0; fast_pattern; classtype:web-application-attack; sid:2013662; rev:2; metadata:created_at 2011_09_16, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:"<?"; content:"eval(gzinflate(base64_decode("; distance:0; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014847; rev:6; metadata:created_at 2012_05_30, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; depth:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:3; metadata:created_at 2012_06_26, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Juniper ScreenOS telnet Backdoor Default Password Attempt"; flow:established,to_server; content:"|3c 3c 3c 20 25 73 28 75 6e 3d 27 25 73 27 29 20 3d 20 25 75|"; fast_pattern; threshold: type limit, count 1, seconds 60, track by_src; reference:cve,2015-7755; reference:url,community.rapid7.com/community/infosec/blog/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor; classtype:attempted-admin; sid:2022291; rev:1; metadata:created_at 2015_12_21, cve CVE_2015_7755, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Office Word 2007 sprmCMajority Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|0D 0A 0D 0A D0 CF 11 E0 A1 B1 1A E1|"; content:"|47 CA FF|"; content:"|3E C6 FF|"; distance:0; isdataat:84,relative; content:!"|0A|"; within:84; reference:url,www.exploit-db.com/moaub11-microsoft-office-word-sprmcmajority-buffer-overflow/; reference:url,www.microsoft.com/technet/security/Bulletin/MS10-056.mspx; reference:bid,42136; reference:cve,2010-1900; classtype:attempted-user; sid:2011478; rev:6; metadata:created_at 2010_09_29, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows Common Control Library Heap Buffer Overflow"; flow:established,from_server; content:"Content-Type|3a| image/svg|2b|xml"; nocase; file_data; content:"|3c|svg xmlns="; nocase; distance:0; content:"style|3d 22|fill|3a 20 23|ffffff|22|"; nocase; distance:0; content:"transform"; nocase; distance:0; pcre:"/^=\s*\x22\s*[^\s\x22\x28]{1000}/iR"; reference:bugtraq,43717; reference:url,www.microsoft.com/technet/security/bulletin/MS10-081.mspx; classtype:attempted-admin; sid:2012174; rev:9; metadata:created_at 2011_01_12, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert ssh any $SSH_PORTS -> any any (msg:"ET EXPLOIT Possible CVE-2016-0777 Server Advertises Suspicious Roaming Support"; flow:established,to_client; content:"|14|"; offset:6; content:"resume@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022369; rev:2; metadata:created_at 2016_01_15, cve CVE_2016_0777, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> any $SSH_PORTS (msg:"ET EXPLOIT Possible CVE-2016-0777 Client Sent Roaming Resume Request"; flow:established,to_server; content:"|14|"; offset:6; content:"roaming@appgate.com"; distance:0; content:!"AppGateSSH_5.2"; reference:cve,2016-0777; reference:url,www.qualys.com/2016/01/14/cve-2016-0777-cve-2016-0778/openssh-cve-2016-0777-cve-2016-0778.txt; classtype:attempted-user; sid:2022370; rev:2; metadata:created_at 2016_01_15, cve CVE_2016_0777, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 03|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020630; rev:6; metadata:created_at 2015_03_06, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020668; rev:2; metadata:created_at 2015_03_11, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 28|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020664; rev:4; metadata:created_at 2015_03_11, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 14|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020660; rev:4; metadata:created_at 2015_03_11, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 06|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020631; rev:6; metadata:created_at 2015_03_06, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 17|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020669; rev:2; metadata:created_at 2015_03_11, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 29|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020665; rev:4; metadata:created_at 2015_03_11, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 0E|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020633; rev:6; metadata:created_at 2015_03_06, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 08|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020632; rev:5; metadata:created_at 2015_03_06, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 11|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020659; rev:4; metadata:created_at 2015_03_11, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 27|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020663; rev:4; metadata:created_at 2015_03_11, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2A|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020666; rev:4; metadata:created_at 2015_03_11, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 2B|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020667; rev:4; metadata:created_at 2015_03_11, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204)"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 26|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html; reference:cve,2015-0204; reference:cve,2015-1637; classtype:bad-unknown; sid:2020662; rev:5; metadata:created_at 2015_03_11, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 63|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021124; rev:2; metadata:created_at 2015_05_20, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $HOME_NET any (msg:"ET EXPLOIT Logjam Weak DH/DHE Export Suite From Server"; flow:established,from_server; content:"|16 03|"; depth:2; byte_test:1,<,4,0,relative; content:"|02|"; distance:3; within:1; byte_jump:1,37,relative; content:"|00 65|"; within:2; fast_pattern; threshold:type limit,track by_dst,count 1,seconds 1200; reference:url,weakdh.org; classtype:bad-unknown; sid:2021125; rev:2; metadata:created_at 2015_05_20, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:3; metadata:created_at 2012_12_05, signature_severity Major, updated_at 2019_07_26;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:11; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2200 (msg:"ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS"; flow:established,to_server; content:"|ff ff ff ff|"; offset:16; depth:4; reference:url,www.securityfocus.com/archive/1/archive/1/458650/100/0/threaded; classtype:attempted-dos; sid:2003379; rev:4; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MS16-009 IE MSHTML Form Element Type Confusion (CVE-2016-0061)"; flow:from_server,established; file_data; content:"opener"; nocase; fast_pattern; pcre:"/^\s*\[\s*[\x22\x27]\\u[a-f0-9]{4}\\u[a-f0-9]{4}/Rsi"; reference:cve,2016-0061; classtype:attempted-user; sid:2022524; rev:4; metadata:created_at 2016_02_16, cve CVE_2016_0061, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 Malformed Server response"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:8; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^[^\x00]+\x00\x00\x01/R"; reference:cve,2015-7547; classtype:attempted-user; sid:2022531; rev:1; metadata:created_at 2016_02_17, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible 2015-7547 PoC Server Response"; flow:from_server; content:"|83 80 00 01 00 00 00 00 00 00|"; offset:2; depth:10; isdataat:2049; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022542; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 01 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022543; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup"; flow:from_server; content:"|00 01|"; offset:4; depth:2; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^.{6}[^\x00]+/Rs"; content:"|00 00 1c 00 01|"; within:5; reference:cve,2015-7547; classtype:attempted-user; sid:2022544; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert udp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA"; flow:from_server; content:"|00 01 00 00 00 00 00 00|"; offset:4; depth:10; isdataat:2049; byte_test:1,&,128,2; byte_test:1,!&,64,2; byte_test:1,!&,32,2; byte_test:1,!&,16,2; byte_test:1,!&,8,2; byte_test:1,&,2,2; byte_test:1,!&,1,3; byte_test:1,!&,2,3; byte_test:1,!&,4,3; byte_test:1,!&,8,3; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; reference:cve,2015-7547; classtype:attempted-user; sid:2022545; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set)"; flow:established,to_server; byte_test:2,<,513,0; byte_test:1,!&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01 00 00 00 00 00 00|"; offset:6; depth:8; pcre:"/^(?:.[a-z0-9-]{2,}){2,}\x00\x00(?:\x01|\x1c)/Ri"; flowbits:set,ET.CVE20157547.primer; flowbits:noalert; reference:cve,2015-7547; classtype:attempted-user; sid:2022546; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp any 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query"; flow:established,from_server; flowbits:isset,ET.CVE20157547.primer; byte_test:2,>,2048,0; byte_test:1,&,128,4; byte_test:1,!&,64,4; byte_test:1,!&,32,4; byte_test:1,!&,16,4; byte_test:1,!&,8,4; content:"|00 01|"; offset:6; depth:2; reference:cve,2015-7547; classtype:attempted-user; sid:2022547; rev:1; metadata:created_at 2016_02_18, cve CVE_2015_7547, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js (Remote Debugger)"; flow:from_server,established; file_data; content:"/json/new/"; content:"javascript|3a|require"; distance:0; content:"child_process"; fast_pattern; distance:0; content:"spawnSync"; distance:0; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=773; classtype:trojan-activity; sid:2022693; rev:2; metadata:created_at 2016_03_31, signature_severity Major, updated_at 2019_07_26;)

alert udp $EXTERNAL_NET any -> $HOME_NET 39889 (msg:"ET EXPLOIT Quanta LTE Router UDP Backdoor Activation Attempt"; flow:to_server; content:"HELODBG"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022699; rev:1; metadata:created_at 2016_04_05, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> any 6129 (msg:"ET EXPLOIT Dameware DMRC Buffer Overflow Attempt (CVE-2016-2345)"; flow:established,to_server; content:"|44 9c 00 00|"; depth:4; content:"|90 90 90 90 90 90 90 90|"; distance:0; content:"|eb 06 ff ff 61 11 40 00 90 90 90 e9 6b fa ff ff|"; distance:0; reference:cve,2016-2345; reference:url,www.securifera.com/blog/2016/04/03/fun-with-remote-controllers-dameware-mini-remote-control-cve-2016-2345; classtype:attempted-admin; sid:2022712; rev:1; metadata:created_at 2016_04_06, cve CVE_2016_2345, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any !80 -> $HOME_NET any (msg:"ET EXPLOIT Open MGate Device"; flow:established,from_server; content:"Model name|20|"; pcre:"/^\x20+\x3a\x20MGate/R"; content:"|0d 00 0a|MAC address|20|"; distance:0; pcre:"/^\x20+\x3a\x20(?:[0-9A-F]{2}\x3a){5}[0-9A-F]{2}\x0d\x00\x0a/R"; classtype:successful-admin; sid:2022732; rev:2; metadata:created_at 2016_04_14, signature_severity Major, updated_at 2019_07_26;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT CVE-2016-1287 Public Exploit ShellCode"; content:"|60 c7 02 90 67 b9 09 8b 45 f8 8b 40 5c 8b 40 04 8b 40 08 8b 40 04 8b 00 85 c0 74 3b 50 8b 40 08 8b 40 04 8d 98 d8 00 00 00 58 81 3b d0 d4 00 e1 75 e4 83 7b 04 31 74 de 89 d8 2d 00 01 00 00 c7 40 04 03 01 00 00 c7 40 0c d0 00 00 00 c7 80 f8|"; reference:url,github.com/exodusintel/disclosures/blob/master/CVE_2016_1287_PoC; classtype:attempted-admin; sid:2022820; rev:1; metadata:created_at 2016_05_18, cve CVE_2016_1287, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"ET EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4,>,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:cve,2004-1172; classtype:misc-attack; sid:2002065; rev:8; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M1"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F 91 03 00 00|"; content:!"|00 00|"; distance:503; within:2; content:"|00 00 BA 0F 16 01 00 00|"; distance:913; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022923; rev:2; metadata:created_at 2016_06_29, cve CVE_2016_2209, confidence Low, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2209 Symantec PowerPoint Parsing Buffer Overflow M2"; flow:established,from_server; file_data; content:"|C8 6A CD E5 F1 2C B0 16 E6 F2 36 7B 41 2E 7F 4B C4 27 13 CF F3 1F FF 2B A8 2B 3A FE 09 77 BE CE 29 00 00 BA 0F A9 03 00 00|"; content:!"|00 00|"; distance:50; within:2; content:"|00 00 BA 0F 2E 01 00 00|"; distance:937; within:8; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022924; rev:2; metadata:created_at 2016_06_29, cve CVE_2016_2209, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow"; flow:established,from_server; file_data; content:"|4d 53 43 46|"; depth:4; byte_jump:4,8,little; isdataat:1; reference:cve,2016-2211; reference:cve,CVE-2014-9732; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:trojan-activity; sid:2022930; rev:2; metadata:created_at 2016_06_30, confidence Low, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M2"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022932; rev:2; metadata:created_at 2016_06_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M1"; flow:established,to_client; file_data; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022933; rev:2; metadata:created_at 2016_06_30, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8083 (msg:"GPL EXPLOIT WEB-MISC JBoss RMI class download service directory listing attempt"; flow:to_server,established; content:"GET %. HTTP/1."; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=111911095424496&w=2; classtype:web-application-attack; sid:2103461; rev:1; metadata:created_at 2016_08_04, signature_severity Major, updated_at 2019_07_26;)

alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA PMCHECK Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ac 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023070; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2019_07_26;)

alert udp any any -> any 161 (msg:"ET EXPLOIT Equation Group ExtraBacon Cisco ASA AAAADMINAUTH Disable"; content:"|bf a5 a5 a5 a5 b8 d8 a5 a5 a5 31 f8 bb a5|"; content:"|ad 31 fb b9 a5 b5 a5 a5 31 f9 ba a2 a5 a5 a5 31 fa cd 80 eb 14 bf|"; distance:2; within:22; content:"|31 c9 b1 04 fc f3 a4 e9 0c 00 00 00 5e eb ec e8 f8 ff ff ff 31 c0 40 c3|"; distance:4; within:24; reference:url,xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-extrabacon-demo/; classtype:attempted-admin; sid:2023071; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2019_07_26;)

alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET EXPLOIT CISCO FIREWALL SNMP Buffer Overflow Extrabacon (CVE-2016-6366)"; content:"|06 01 04 01 09 09 83 6B|"; pcre:"/^(?:\x01(?:(?:\x01(?:(?:\x04(?:(?:\x03(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x04(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?|\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a])?)?))?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|\x02(?:[\x01\x02\x03\x04])?|\x03(?:[\x01\x02])?))?|\x03(?:(?:\x03(?:\x01(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e])?)?)?|\x01(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13])?|\x02(?:[\x01\x02])?))?|\x05(?:(?:\x02(?:\x01(?:[\x01\x02\x03\x04\x05\x06\x07])?)?|\x01(?:[\x01\x02\x03])?))?|\x02(?:(?:[\x01\x02]|\x03(?:\x01(?:[\x01\x02\x03])?)?))?|\x06(?:\x01(?:[\x01\x02\x03\x05\x06\x07\x08\x09\x0a\x0b])?)?|\x07(?:[\x01\x02])?|\x04))?|\x02(?:(?:\x02(?:[\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c])?|(?:\x01)?\x01))?)/Rsi"; content:"|81 10 81 10 81 10 81 10 81 10 81 10 81 10 81 10|"; within:160; fast_pattern; reference:cve,2016-6366; classtype:misc-attack; sid:2023086; rev:1; metadata:affected_product Cisco_ASA, attack_target Server, created_at 2016_08_25, cve CVE_2016_6366, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, tag CISA_KEV, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Challack Tool in use"; flow:no_stream,to_server; flags:R; dsize:1; content:"x"; threshold: type both, track by_dst, seconds 1, count 90; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023140; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2016_08_29, deployment Datacenter, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RST Flood With Window"; flow:no_stream,to_server; flags:R; window:!0; threshold: type both, track by_dst, seconds 1, count 101; reference:url,www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf; reference:cve,2016-5696; classtype:misc-attack; sid:2023141; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2016_08_29, deployment Perimeter, performance_impact Significant, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M1"; flow:established,from_server; file_data; content:"|26 63 68 72 77 28 32 31 37 36 29 26 63 68 72 77 28 30 31 29 26|"; nocase; content:"|26 63 68 72 77 28 33 32 37 36 37 29|"; nocase; content:"|73 65 74 6e 6f 74 73 61 66 65 6d 6f 64 65 28 29|"; nocase; content:"|72 75 6e 73 68 65 6c 6c 63 6f 64 65 28 29|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023145; rev:2; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, cve CVE_2014_6332, deployment Perimeter, malware_family IEiExploit, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) Set"; flow:established,from_server; file_data; content:"ftyp"; fast_pattern; offset:4; depth:4; content:"|00|"; distance:5; within:1; flowbits:set,ET.MP4Stagefright; flowbits:noalert; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023184; rev:2; metadata:created_at 2016_09_12, cve CVE_2016_3861, confidence Medium, signature_severity Major, tag Android_Exploit, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 (CVE 2016-3861) ROP"; flow:established,from_server; content:"ID3"; content:!"|FF|"; within:1; content:"|41 d8 41 d8 41 dc 41 d8 41 d8 41 dc|"; fast_pattern; within:800; pcre:"/^(\x41\xd8\x41\xd8\x41\xdc){2,}\x41\x00/R"; flowbits:isset,ET.MP4Stagefright; reference:cve,2016-3861; reference:url,googleprojectzero.blogspot.com.br/2016/09/return-to-libstagefright-exploiting.html; classtype:attempted-user; sid:2023185; rev:2; metadata:affected_product Android, attack_target Client_Endpoint, created_at 2016_09_12, cve CVE_2016_3861, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Android_Exploit, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"unhex"; nocase; distance:0; content:"67656e6572616c5f6c6f675f66696c65"; distance:0; nocase; content:"2e636e66"; nocase; content:"6e6d616c6c6f635f6c6962"; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023201; rev:1; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, cve CVE_2016_6662, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2015-2419 As observed in Magnitude EK"; flow:established,from_server; file_data; content:"|5b 30 78 35 33 2c 20 30 78 35 35 2c 20 30 78 35 36 2c 20 30 78 65 38 2c 20 30 78 30 39 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 30 30 2c 20 30 78 35 65 2c 20 30 78 35 64 2c 20 30 78 35 62 2c 20 30 78 38 62 2c 20 30 78 36 33 2c 20 30 78 30 63 2c 20 30 78 63 32 2c 20 30 78 30 63 2c 20 30 78 30 30 2c 20 30 78 39 30 5d|"; nocase; content:"|30 78 31 32 38 65 30 30 32 30|"; nocase; content:"|4a 53 4f 4e|"; nocase; content:"|73 74 72 69 6e 67 69 66 79|"; nocase; classtype:exploit-kit; sid:2023253; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_09_21, cve CVE_2015_2419, deployment Perimeter, malware_family Magnitude, confidence High, signature_severity Major, tag Magnitude_EK, tag CISA_KEV, updated_at 2019_07_26;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible Cisco IKEv1 Information Disclosure Vulnerability CVE-2016-6415"; dsize:>828; content:"|00 00 00 00 00 00 00 00 01 10|"; offset:8; depth:10; content:"|80 02 00|"; distance:30; byte_test:1,<,3,0,relative; byte_test:1,>,0,0,relative; content:"|80 04 00 01 00 06|"; distance:1; within:6; fast_pattern; byte_test:2,>,768,0,relative; reference:cve,2016-6415; classtype:attempted-user; sid:2023311; rev:1; metadata:affected_product Cisco_PIX, attack_target Networking_Equipment, created_at 2016_09_29, cve CVE_2016_6415, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attemted SSH Authorized Key Writing Attempt"; flow:established,to_server; content:"*"; depth:1; content:"config"; content:"set"; distance:0; content:"|0D 0A|dbfilename|0D 0A|"; distance:0; content:"|0D 0A|authorized_keys|0D 0A|"; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023511; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"ET EXPLOIT REDIS Attempted SSH Key Upload"; flow:established,to_server; content:"*"; depth:1; content:"|0D 0A|set|0D 0A|"; content:"ssh-rsa "; distance:0; reference:url,antirez.com/news/96; classtype:attempted-admin; sid:2023512; rev:1; metadata:attack_target Client_Endpoint, created_at 2016_11_15, deployment Datacenter, signature_severity Major, tag SCAN_Redis_SSH, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M1"; flow:established,from_server; file_data; content:"|66 69 6e 64 50 6f 70 52 65 74|"; nocase; content:"|66 69 6e 64 53 74 61 63 6b 50 69 76 6f 74|"; nocase; content:"|56 69 72 74 75 61 6c 41 6c 6c 6f 63|"; nocase; content:"|72 6f 70 43 68 61 69 6e|"; nocase; content:"|6b 65 72 6e 65 6c 33 32 2e 64 6c 6c|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023559; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Firefox 0-day used against TOR browser Nov 29 2016 M2"; flow:established,from_server; file_data; content:"|72 6f 70 43 68 61 69 6e 28 72 6f 70 42 61 73 65 2c 76 74 61 62 6c 65 5f 6f 66 66 73 65 74 2c 31 30 2c 72 6f 70 41 72 72 42 75 66 29 3b|"; nocase; reference:url,arstechnica.com/security/2016/11/firefox-0day-used-against-tor-users-almost-identical-to-one-fbi-used-in-2013/; classtype:attempted-admin; sid:2023560; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Firefox, attack_target Client_Endpoint, created_at 2016_11_30, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|43 6f 6c 6c 65 63 74 47 61 72 62 61 67 65|"; nocase; content:"|73 70 72 61 79 48 65 61 70|"; nocase; content:"|73 65 74 41 64 64 72 65 73 73|"; nocase; content:"|30 78 63 36 62 65 63|"; nocase; content:"|30 78 46 46 46 46 30 30 30 30|"; nocase; classtype:attempted-admin; sid:2023568; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, cve CVE_2016_3210, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-3210 Exploit Observed ITW M1 Nov 30"; flow:established,from_server; file_data; content:"|77 72 69 74 65 4e 28 72 6f 70 61 64 64 72 20 2b 20 69 20 2a 20 34 2c 20 72 6f 70 5b 69 5d 2c 20 34 29 3b|"; classtype:attempted-admin; sid:2023569; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_11_30, cve CVE_2016_3210, deployment Perimeter, confidence High, signature_severity Major, tag Exploit_Kit_Sundown, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 1"; flow:established,to_client; file_data; content:"0x1DA2F5"; fast_pattern; nocase; content:"0x1DA2CB"; nocase; distance:0; content:"getPrototypeOf"; nocase; content:".__proto__"; nocase; content:"Symbol.species"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023700; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, cve CVE_2016_7200, deployment Perimeter, confidence Medium, signature_severity Critical, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 2"; flow:established,to_client; file_data; content:"rop.length"; fast_pattern; nocase; content:"Write64"; nocase; distance:0; pcre:"/^\s*\x28\s*retPtrAddr\.add\s*\x28\s*i\s*\*\s*8\s*\x29\s*,\s*rop\s*\x5b/Rsi"; reference:cve,2016-7200; reference:url,malware.dontneedcoffee.com/2017/01/CVE-2016-7200-7201.html; classtype:attempted-user; sid:2023701; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, cve CVE_2016_7200, deployment Perimeter, confidence Medium, signature_severity Critical, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B642"; flow:established,from_server; file_data; content:"RyaWdnZXJGaWxsRnJvbVByb3RvdHlwZXNCdW"; classtype:trojan-activity; sid:2023703; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, cve CVE_2016_7200, deployment Perimeter, confidence Medium, signature_severity Critical, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B643"; flow:established,from_server; file_data; content:"UcmlnZ2VyRmlsbEZyb21Qcm90b3R5cGVzQnVn"; classtype:trojan-activity; sid:2023704; rev:2; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, cve CVE_2016_7200, deployment Perimeter, confidence Medium, signature_severity Critical, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2019_07_26;)

alert udp $HOME_NET 5351 -> [!224.0.0.1,$EXTERNAL_NET] any (msg:"ET EXPLOIT Possible Malicious NAT-PMP Response to External Network"; dsize:12; content:"|80 00 00|"; offset:1; depth:3; reference:url,community.rapid7.com/community/metasploit/blog/2014/10/21/r7-2014-17-nat-pmp-implementation-and-configuration-vulnerabilities; classtype:attempted-admin; sid:2019490; rev:3; metadata:created_at 2014_10_22, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) Observed in SunDown EK 3"; flow:established,from_server; file_data; content:"|66 75 6e 63 74 69 6f 6e 20 54 72 69 67 67 65 72 46 69 6c 6c 46 72 6f 6d 50 72 6f 74 6f 74 79 70 65 73 42 75 67 28 6c 6f 2c 20 68 69 29|"; nocase; content:"|63 68 61 6b 72 61 42 61 73 65 2e 61 64 64|"; nocase; content:"|73 68 63 6f 64 65 41 64 64 72 2e 61 6e 64|"; nocase; classtype:exploit-kit; sid:2023699; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, cve CVE_2016_7200, deployment Perimeter, confidence Medium, signature_severity Critical, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft RDP Client for Mac RCE"; flow:established,to_client; content:"rdp|3a 2f 2f|"; nocase; content:"drivestoredirect"; fast_pattern; nocase; distance:0; content:"rdp|3a 2f 2f|"; nocase; pcre:"/^\S+?drivestoredirect/Ri"; reference:url,www.wearesegment.com/research/Microsoft-Remote-Desktop-Client-for-Mac-Remote-Code-Execution; classtype:attempted-admin; sid:2023755; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2017_01_24, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Ticketbleed Client Hello (CVE-2016-9244)"; flow:established,from_client; content:"|16 03|"; depth:2; content:"|01|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; byte_test:1,<,32,32,relative; byte_test:1,>,1,32,relative; flowbits:set,ET.ticketbleed; flowbits:noalert; reference:cve,2016-9244; reference:url,filippo.io/Ticketbleed; classtype:misc-attack; sid:2023896; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_02_10, deployment Datacenter, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Ticketbleed Server Hello (CVE-2016-9244)"; flow:established,to_client; content:"|16 03|"; depth:2; content:"|02|"; distance:3; within:1; content:"|03 03|"; distance:3; within:2; content:"|20|"; distance:32; within:1; flowbits:isset,ET.ticketbleed; reference:url,filippo.io/Ticketbleed; reference:cve,2016-9244; classtype:misc-attack; sid:2023897; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_02_10, deployment Datacenter, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 2381 (msg:"ET EXPLOIT HP Smart Storage Administrator Remote Command Injection"; flow:to_server,established; content:"echo -n|20|"; pcre:"/^\s*(?:f0VMR|9FTE|\/RUxG)/R"; reference:cve,2016-8523; classtype:attempted-user; sid:2024063; rev:2; metadata:affected_product HP_Smart_Storage_Administrator, attack_target Server, created_at 2017_03_15, cve CVE_2016_8523, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2019_07_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-LINK DIR-615 Cross-Site Request Forgery (CVE-2017-7398)"; flow:from_server,established; file_data; content:"/form2WlanBasicSetup.cgi"; fast_pattern; nocase; content:"method"; nocase; distance:0; pcre:"/^\s*=\s*[\x27\x22]\s*POST/Rsi"; content:"ssid"; nocase; content:"save"; nocase; content:"Apply"; nocase; distance:0; reference:cve,CVE-2017-7398; classtype:attempted-user; sid:2024181; rev:2; metadata:affected_product D_Link_DIR_615, attack_target Client_Endpoint, created_at 2017_04_05, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Cisco Catalyst Remote Code Execution (CVE-2017-3881)"; flow:to_server,established; content:"|ff fa 24 00 03|CISCO_KITS"; content:"|3a|"; distance:2; within:1; isdataat:160,relative; content:!"|3a|"; within:160; reference:url,artkond.com/2017/04/10/cisco-catalyst-remote-code-execution/; classtype:attempted-user; sid:2024194; rev:1; metadata:affected_product CISCO_Catalyst, attack_target IoT, created_at 2017_04_10, cve CVE_2017_3881, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010"; flow:from_server,established; content:"|FF|SMB|25 05 00 00 80|"; offset:4; depth:9; content:"LSbfLScnLSepLSlfLSmf"; distance:0; fast_pattern; content:"LSrfLSsrLSscLSblLSss"; within:20; content:"LSshLStrLStcLSopLScd"; within:20; flowbits:set,ETPRO.ETERNALROMANCE; classtype:trojan-activity; sid:2024208; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2019_07_26;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 ff ff ff ff 08 00|"; distance:30; within:10; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; fast_pattern; content:"|2e 00 00 00 00 00 00 00 2e 00 00 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; within:12; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; content:"|2f 00 41 00 2f 00 2e 00 2e 00 2f 00|"; distance:0; isdataat:800,relative; classtype:trojan-activity; sid:2024215; rev:1; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2019_07_26;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Request (set)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; content:"|00 00 00 00 ff ff ff ff 00 00|"; distance:17; within:10; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 4c 00 41 00 4e 00 4d 00 41 00 4e 00 00 00|"; distance:13; within:26; content:"|82 00|zb12g12DWrLehig24"; within:19; fast_pattern; flowbits:set,ET.ETERNALCHAMPIONsync; flowbits:noalert; classtype:trojan-activity; sid:2024212; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2019_07_26;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound"; flow:to_server; content:"|84 00 00|"; byte_test:1,<,9,0,relative; byte_jump:1,0,relative,post_offset -4; content:"|00 00 00|"; within:3; byte_test:1,<,8,0,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022506; rev:3; metadata:created_at 2016_02_12, cve CVE_2016_1287, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 2"; flow:to_server; content:"|84 20|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022515; rev:2; metadata:created_at 2016_02_12, cve CVE_2016_1287, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"ET EXPLOIT Possible CVE-2016-1287 Invalid Fragment Size Inbound 3"; flow:to_server; content:"|84 10|"; depth:2; offset:16; byte_test:2,<,9,12,relative; reference:url,blog.exodusintel.com/2016/02/10/firewall-hacking; classtype:trojan-activity; sid:2022516; rev:2; metadata:created_at 2016_02_12, cve CVE_2016_1287, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

#alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; reference:url,xinn.org/Snort-fgdump.html; classtype:suspicious-filename-detect; sid:2008476; rev:4; metadata:created_at 2010_07_30, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-01 - Unauthed RCE via bprd"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; pcre:"/^.*?[\x24\x60]/R"; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024308; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-02 - Possible Unauthed RCE via nbbsdtar"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"/bin/"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024309; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 1556 (msg:"ET EXPLOIT NB8-04 - Possible Unauthed RCE via whitelist bypass"; flow:established,to_server; content:"ack="; depth:4; content:"extension=bprd"; distance:0; fast_pattern; content:"BPCD_WHITELIST_PATH"; distance:0; reference:url,seclists.org/fulldisclosure/2017/May/27; classtype:web-application-attack; sid:2024310; rev:1; metadata:attack_target Server, created_at 2017_05_17, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (.so file write to share) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|2d 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|12 00|"; distance:40; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024335; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, cve CVE_2017_7494, deployment Datacenter, performance_impact Low, signature_severity Critical, tag CISA_KEV, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB|a2 00|"; offset:5; depth:5; content:"|00 00|"; distance:1; within:2; content:"|2e|so|00|"; fast_pattern; distance:16; reference:cve,2017-7494; reference:url,github.com/rapid7/metasploit-framework/pull/8450; classtype:attempted-admin; sid:2024336; rev:1; metadata:attack_target SMB_Server, created_at 2017_05_25, cve CVE_2017_7494, deployment Datacenter, performance_impact Low, signature_severity Critical, tag CISA_KEV, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible $MFT NTFS Device Access in HTTP Response"; flow:from_server,established; content:"file://"; content:"/$MFT/"; distance:0; fast_pattern; content:"src"; pcre:"/^\s*=\s*[^>]*file\x3a[^>]*\/\x24MFT\//Ris"; reference:url,www.securitytracker.com/id/1038575; classtype:trojan-activity; sid:2024337; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_30, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL"; flow:established,from_server; file_data; content:"|7b 5c 72 74|"; within:4; content:!"|66|"; within:1; content:"|5C 6F 62 6A 61 75 74 6C 69 6E 6B|"; nocase; distance:0; reference:md5,8168b2305289ecc778216405d1fd7984; reference:cve,2017-0199; classtype:trojan-activity; sid:2024413; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100570; rev:12; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_07_26;)

alert tcp $HOME_NET any -> $HOME_NET 42 (msg:"ET EXPLOIT Possible WINS Server Remote Memory Corruption Vulnerability"; flow:to_server,established; dsize:48; content:"|00 00 78 00|"; offset:4; depth:4; content:"|00 00 00 05|"; offset:16; depth:4; fast_pattern; threshold: type both, count 3, seconds 1, track by_src; reference:url,blog.fortinet.com/2017/06/14/wins-server-remote-memory-corruption-vulnerability-in-microsoft-windows-server; classtype:attempted-user; sid:2024435; rev:1; metadata:affected_product Windows_DNS_server, attack_target DNS_Server, created_at 2017_06_29, deployment Datacenter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2019_07_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET EXPLOIT Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference (CVE-2009-3103)"; flow:to_server,established; content:"|FF 53 4d 42 72|"; offset:4; depth:5; content:"|00 26|"; distance:7; within:2; reference:url,www.exploit-db.com/exploits/14674/; reference:url,www.microsoft.com/technet/security/bulletin/ms09-050.mspx; reference:cve,2009-3103; classtype:attempted-user; sid:2012063; rev:3; metadata:created_at 2010_12_17, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> any 445 (msg:"ET EXPLOIT ETERNALBLUE Exploit M2 MS17-010"; flow:established,to_server; content:"|8000a80000000000000000000000000000000000ffff000000000000ffff0000000000000000000000000000000000000000000000f1dfff000000000000000020f0dfff00f1dfffffffffff600004100000000080efdfff|"; reference:cve,CVE-2017-0143; classtype:attempted-admin; sid:2024297; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Exploit M3 MS17-010"; flow:to_server,established; content:"|ff|SMB|32 00 00 00 00 18 07 c0|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; distance:2; within:16; fast_pattern; content:"|0f 0c 00 00 10 01 00 00 00 00 00 00 00 f2 00 00 00 00 00 0c 00 42 00 00 10 4e 00 01 00 0e 00 0d 10 00|"; distance:2; within:34; isdataat:1000,relative; threshold: type both, track by_src, count 10, seconds 1; classtype:trojan-activity; sid:2024430; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_27, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Exploit"; flow:established,from_server; file_data; content:"triggerBug"; nocase; fast_pattern; pcre:"/^\s*(?:\x28|\%28)/Rs"; content:"exploit"; nocase; pcre:"/^\s*(?:\x28|\%28)o/Rs"; content:"intToStr"; nocase; pcre:"/^\s*(?:\x28|\%28)x/Rs"; content:"strToInt"; nocase; pcre:"/^\s*(?:\x28|\%28)s/Rs"; classtype:trojan-activity; sid:2024676; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, cve CVE_2016_0189, deployment Perimeter, signature_severity Critical, tag CISA_KEV, updated_at 2019_07_26;)

#alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT [PTsecurity] DoublePulsar Backdoor installation communication"; flow: to_server, established; content:"|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test:2,!=,0x0000,52,relative,little; pcre: "/^.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/R"; reference:url,github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:2024766; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target SMB_Server, created_at 2017_09_25, deployment Internet, performance_impact Low, signature_severity Major, updated_at 2019_07_26;)

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response"; flow:from_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:isset,ET.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2019_07_26;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)"; flow:to_server,established; content:"|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|"; depth:16; fast_pattern; content:"|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|"; distance:0; flowbits:set,ET.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2019_07_26;)

alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Exim4 UAF Attempt (BDAT with non-printable chars)"; flow:established,to_server; content:"BDAT"; depth:5; pcre:"/^\s*\d*[^\x20-\x7e\r\n\t]/R"; reference:url,lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html; classtype:attempted-admin; sid:2025063; rev:3; metadata:attack_target SMTP_Server, created_at 2017_11_27, deployment Internal, deployment Datacenter, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M2"; flow:established,to_server; content:"CenturyL1nk"; fast_pattern; classtype:attempted-admin; sid:2024980; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_13, deployment Perimeter, malware_family Mirai, performance_impact Low, confidence Low, signature_severity Critical, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; classtype:attempted-user; sid:2010001; rev:4; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_readerrorlogs access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|a|00|d|00|e|00|r|00|r|00|o|00|r|00|l|00|o|00|g|00|s|00|"; nocase; classtype:attempted-user; sid:2010002; rev:5; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT xp_enumdsn access"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|d|00|s|00|n|00|"; nocase; classtype:attempted-user; sid:2010003; rev:5; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MeltDown PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|57 53 41 50 41 51|"; content:"|0F AE F0|"; distance:50; within:53; content:"|0F AE|"; distance:15; within:12; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|0F AE F0 0F 31|"; distance:45; within:25; content:"|0F AE F0 0F 31|"; distance:17; within:12; reference:cve,2017-5754; classtype:attempted-admin; sid:2025195; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_01_10, cve CVE_2017_5754, deployment Perimeter, malware_family MeltDown_Exploit, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Spectre PoC Download In Progress"; flow:established,from_server; flowbits:isset,ET.http.binary; file_data; content:"|E7 03 00 00|"; content:"|48 0F AE|"; distance:17; within:9; pcre:"/^[\x30-\x3f\x7D]/Rs"; content:"|48 0F AE 3D|"; distance:41; within:10; content:"|48 98|"; distance:64; within:22; content:"|0F 01 F9|"; distance:50; within:9; content:"|0F 01 F9|"; distance:30; within:9; reference:cve,2017-5753; reference:cve,2017-5715; classtype:attempted-admin; sid:2025196; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_01_10, cve CVE_2017_5753, deployment Perimeter, malware_family Spectre_Exploit, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 25 (msg:"ET EXPLOIT [PT Security] Exim <4.90.1 Base64 Overflow RCE (CVE-2018-6789)"; flow: established,to_server,only_stream; content:"|0D 0A|AUTH"; pcre:"/AUTH\s+\S+\s+(?:[a-zA-Z0-9\+\/=]{4})*+[a-zA-Z0-9\+\/=]{3}\s/"; reference:cve,2018-6789; reference:url,devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/; reference:url,github.com/ptresearch/AttackDetection/blob/master/CVE-2018-6789/cve-2018-6789.rules; classtype:attempted-admin; sid:2025427; rev:1; metadata:attack_target SMTP_Server, created_at 2018_03_13, cve CVE_2018_6789, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET 4786 (msg:"ET EXPLOIT Possible CVE-2018-0171 Exploit (PoC based)"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 07|"; depth:12; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:12; within:36; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; distance:4; within:44; reference:cve,2018-0171; reference:url,embedi.com/blog/cisco-smart-install-remote-code-execution/; classtype:attempted-admin; sid:2025472; rev:1; metadata:affected_product Cisco_ASA, attack_target Networking_Equipment, created_at 2018_04_06, cve CVE_2018_0171, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - Update Ios and Execute"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 02 00 00 01 c4|"; depth:16; content:"://"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025520; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - ChangeConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 03 00 00 01 28|"; depth:16; content:"://"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025521; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> any 4786 (msg:"ET EXPLOIT Cisco Smart Install Exploitation Tool - GetConfig"; flow:established,to_server; content:"|00 00 00 01 00 00 00 01 00 00 00 08 00 00 04 08|"; depth:16; content:"copy|20|"; distance:0; reference:url,www.us-cert.gov/ncas/alerts/TA18-106A; reference:url,github.com/Sab0tag3d/SIET; classtype:bad-unknown; sid:2025522; rev:1; metadata:attack_target Networking_Equipment, created_at 2018_04_20, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ecessa WANWorx WVR-30 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"user_username"; content:"user_passwd"; content:"checked"; content:"savecrtcfg"; fast_pattern; classtype:web-application-attack; sid:2025737; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, signature_severity Major, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Intex Router N-150 Cross-Site Request Forgery"; flow:from_server,established; file_data; content:"method"; nocase; content:"POST"; content:"PPW"; content:"submit"; content:"SSID"; content:"isp"; content:"WAN"; content:"wirelesspassword"; fast_pattern; content:"name"; content:"value"; classtype:web-application-attack; sid:2025739; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_06_25, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2019_07_26;)

alert udp any 67 -> any 68 (msg:"ET EXPLOIT DynoRoot DHCP - Client Command Injection"; content:"|02|"; depth:1; content:"|35 01 05 fc|"; distance:0; content:"|2f|bin|2f|sh"; fast_pattern; distance:0; reference:url,exploit-db.com/exploits/44652/; reference:cve,2018-1111; classtype:attempted-admin; sid:2025765; rev:2; metadata:attack_target Networking_Equipment, created_at 2018_06_29, cve CVE_2018_1111, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Critical, updated_at 2019_07_26, reviewed_at 2024_04_03, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"ET EXPLOIT CloudMe Sync Buffer Overflow"; flow:established,to_server; content:"|fe e7 d1 61 a8 98 03 69 10 06 e7 6f 6f 0a c4 61 5a ea c8 68 e1 52 d6 68 a2 7c fa 68 ff fd ff ff|"; fast_pattern; distance:0; content:"|92 70 b4 6e 47 27 d5 68 ff ff ff ff bc 48 f9 68|"; distance:0; content:"|3c 06 f8 68 72 a4 f9 68 c0 ff ff ff 92 70 b4 6e|"; distance:0; content:"|ab 57 f0 61 a3 ef b5 6e  d1 14 dc 61 0c ed b4 64 45 62 ba 61|"; distance:0; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; distance:0; reference:url,exploit-db.com/exploits/44784/; reference:cve,2018-6892; classtype:attempted-admin; sid:2025766; rev:2; metadata:attack_target Server, created_at 2018_06_29, cve CVE_2018_6892, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FTPShell client Stack Buffer Overflow"; flow:established,from_server; content:"220|20 22|"; isdataat:400,relative; content:!"|00|"; within:400; content:!"|22|"; within:400; content:!"|0b|"; within:400; content:!"|0a|"; within:400; content:!"|0d|"; within:400; content:"|ed 2e 45 22 20|"; fast_pattern; distance:400; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-7573; reference:url,exploit-db.com/exploits/44968/; classtype:attempted-user; sid:2025779; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_03, cve CVE_2018_8734, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2019_07_26;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ModSecurity 3.0.0 Cross-Site Scripting"; flow:established,from_server; file_data; content:"onError"; content:"prompt"; fast_pattern; content:"img"; pcre:"/^\s*((?!>).)+?\s*src\s*=\s*[\x22\x27]\s*[^\x27\x28]+?[\x22\x27]\s*onError\s*=\s*prompt\s*\x28\s*[^)]*?(?:document|s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Rsi"; reference:cve,2018-13065; reference:url,exploit-db.com/exploits/44970/; classtype:attempted-user; sid:2025781; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Critical, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization Remote Command Execution"; flow:established,to_server; content:"java.rmi.registry.Registry"; fast_pattern; content:"java.lang.reflect.Proxy"; content:"java.rmi.server.RemoteObjectInvocationHandler"; content:"UnicastRef"; reference:url,exploit-db.com/exploits/44553/; reference:cve,2018-2628; classtype:attempted-user; sid:2025788; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_07_05, cve CVE_2018_2628, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exim Internet Mailer Remote Code Execution"; flow:established,to_server; content:"JHtydW57L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3Av"; reference:cve,2018-6789; reference:url,exploit-db.com/exploits/44571/; classtype:attempted-user; sid:2025793; rev:2; metadata:attack_target SMTP_Server, created_at 2018_07_09, cve CVE_2018_6789, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 9000 (msg:"ET EXPLOIT xdebug OS Command Execution"; flow:established,to_server; content:"eval -i 1 --|0d 0a|ZmlsZV9wdXRfY29udGVudH"; reference:url,exploit-db.com/exploits/44568/; classtype:attempted-user; sid:2025794; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vYmluL2Jhc2"; classtype:attempted-user; sid:2025806; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"vKjw/cGhwI"; classtype:attempted-user; sid:2025809; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"MeW84UDNCb2ND"; classtype:attempted-user; sid:2025812; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"c3lzdGVtKCIgcGhw"; classtype:attempted-user; sid:2025795; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"N5c3RlbSgiIHBoc"; classtype:attempted-user; sid:2025796; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"zeXN0ZW0oIiBwaH"; classtype:attempted-user; sid:2025797; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"c3lzdGVtKCJwaH"; classtype:attempted-user; sid:2025798; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"N5c3RlbSgicGhw"; classtype:attempted-user; sid:2025799; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Generic system shell command to php base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"zeXN0ZW0oInBoc"; classtype:attempted-user; sid:2025800; rev:2; metadata:created_at 2018_07_09, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"ZmlsZV9wdXRfY29udGVudH"; classtype:attempted-user; sid:2025801; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"ZpbGVfcHV0X2NvbnRlbnRz"; classtype:attempted-user; sid:2025802; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT file_put_contents php base64 encoded Remote Code Execution 3"; flow:established,to_server; content:"maWxlX3B1dF9jb250ZW50c"; classtype:attempted-user; sid:2025803; rev:2; metadata:affected_product Web_Server_Applications, affected_product PHP, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"L2Jpbi9iYXNo"; classtype:attempted-user; sid:2025804; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT bin bash base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"9iaW4vYmFza"; classtype:attempted-user; sid:2025805; rev:2; metadata:attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"Lyo8P3BocC"; classtype:attempted-user; sid:2025807; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"8qPD9waHAg"; classtype:attempted-user; sid:2025808; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 1"; flow:established,to_server; content:"THlvOFAzQm9jQ"; classtype:attempted-user; sid:2025810; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 2"; flow:established,to_server; content:"x5bzhQM0JvY0"; classtype:attempted-user; sid:2025811; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 4"; flow:established,to_server; content:"OHFQRDl3YUhBZ"; classtype:attempted-user; sid:2025813; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 5"; flow:established,to_server; content:"hxUEQ5d2FIQW"; classtype:attempted-user; sid:2025814; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 6"; flow:established,to_server; content:"4cVBEOXdhSEFn"; classtype:attempted-user; sid:2025815; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 7"; flow:established,to_server; content:"dktqdy9jR2h3S"; classtype:attempted-user; sid:2025816; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 8"; flow:established,to_server; content:"ZLancvY0dod0"; classtype:attempted-user; sid:2025817; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT php script double base64 encoded Remote Code Execution 9"; flow:established,to_server; content:"2S2p3L2NHaHdJ"; classtype:attempted-user; sid:2025818; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_07_09, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> $HOME_NET 4070 (msg:"ET EXPLOIT HID VertX and Edge door controllers command_blink_on Remote Command Execution"; content:"command_blink_on|3b|"; fast_pattern; content:"|60|"; within:44; reference:url,exploit-db.com/exploits/44992/; classtype:attempted-user; sid:2025821; rev:2; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Linux"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bash"; content:"5c5c7837665c5c7834355c5c7834635c5c783436"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025861; rev:1; metadata:attack_target Server, created_at 2018_07_17, cve CVE_2018_100004, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Nanopool Claymore Dual Miner Remote Code Execution Windows"; flow:established,to_server; content:"jsonrpc"; content:"method"; content:"miner_file"; content:".bat"; content:"706f7765727368656c6c2e657865"; fast_pattern; reference:url,exploit-db.com/exploits/45044/; reference:cve,2018-1000049; classtype:attempted-user; sid:2025862; rev:2; metadata:attack_target Server, created_at 2018_07_17, cve CVE_2018_100004, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge"; flow:from_server,established; content:"CNXN|00 00 00 01 00 10 00 00 07 00 00 00 32 02 00 00 BC B1 A7 B1|host|3a 3a|"; distance:40; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025887; rev:1; metadata:created_at 2018_07_24, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5555 (msg:"ET EXPLOIT Remote Command Execution via Android Debug Bridge 2"; flow:from_server,established; content:"OPENX|02 00 00 00 00 00 00 F2 17 4A 00 00 B0 AF BA B1|shell|3a|>/sdcard/Download/f|20|&&|20|cd|20|/sdcard/Download/|3b 20|>/dev/f|20|&&|20|cd|20|/dev/|3b 20|>/data/local/tmp/f|20|&&|20|cd|20|/data/local/tmp/|3b 20|busybox|20|wget|20|http|3a|//"; fast_pattern; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/open-adb-ports-being-exploited-to-spread-possible-satori-variant-in-android-devices/; classtype:trojan-activity; sid:2025888; rev:1; metadata:affected_product Android, attack_target Mobile_Client, created_at 2018_07_24, deployment Perimeter, confidence High, signature_severity Critical, updated_at 2019_07_26;)

alert tcp-pkt any 445 -> $HOME_NET any (msg:"ET EXPLOIT SMB Null Pointer Dereference PoC Inbound (CVE-2018-0833)"; flow:from_server,established; content:"|FD 53 4D 42 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41|"; offset:4; reference:url,krbtgt.pw/smbv3-null-pointer-dereference-vulnerability/; reference:cve,2018-0833; classtype:attempted-admin; sid:2025983; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_08, cve CVE_2018_0833, deployment Internal, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt (SMTP)"; flow:to_server,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026084; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript invalidcheck escape attempt"; flow:to_client,established; file_data; content:"legal"; content:"restore"; distance:0; content:"currentdevice"; content:"putdeviceprops"; pcre:"/legal[^x7B]*\x7B[^\x7D]*restore/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026085; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Datacenter, signature_severity Major, updated_at 2019_07_26;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt (SMTP)"; flow:to_server,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026086; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal read undefinedfilename attempt"; flow:to_client,established; file_data; content:"undefinedfilename"; fast_pattern; content:"errordict"; content:"invalidfileaccess"; content:"typecheck"; pcre:"/errordict\s+\x2Finvalidfileaccess/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026087; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, signature_severity Major, updated_at 2019_07_26;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt (SMTP)"; flow:to_server,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]*\x7D\s*stopped/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026088; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript illegal delete bindnow attempt"; flow:to_client,established; file_data; content:"unlink("; fast_pattern; content:"|2E|bindnow"; content:"stopped"; distance:0; pcre:"/\x2Ebindnow[^\x7D]+\x7D\s*stopped/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026089; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, signature_severity Major, updated_at 2019_07_26;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026090; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript setpattern type confusion attempt"; flow:to_client,established; file_data; content:"16#"; content:"setpattern"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026091; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert smtp $EXTERNAL_NET any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt (SMTP)"; flow:to_server,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026092; rev:2; metadata:attack_target SMTP_Server, created_at 2018_09_05, deployment Datacenter, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ghostscript LockDistillerParams type confusion attempt"; flow:to_client,established; file_data; content:"LockDistillerParams"; content:"16#"; distance:0; pcre:"/16#[^s]\d+\s*\x3E\x3E\s*setpattern/smi"; reference:url,seclists.org/oss-sec/2018/q3/142; classtype:attempted-user; sid:2026093; rev:1; metadata:attack_target Client_Endpoint, created_at 2018_09_05, deployment Perimeter, confidence High, signature_severity Major, updated_at 2019_07_26;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Mikrotik Winbox RCE Attempt (CVE-2018-14847)"; flow:established,to_server; content:"|680100664d320500ff010600ff09050700ff090701000021352f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f2f2f2f2f2f2e2f2e2e2f666c6173682f72772f73746f72652f757365722e6461740200ff88020000000000080000000100ff8802000200000002000000|"; offset:0; reference:url,github.com/mrmtwoj/0day-mikrotik; reference:url,www.helpnetsecurity.com/2018/08/03/mikrotik-cryptojacking-campaign; reference:cve,2018-14847; classtype:attempted-admin; sid:2025972; rev:3; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2018_08_06, cve CVE_2018_14847, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert icmp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible CVE-2018-4407 - Apple ICMP DoS PoC"; itype:12; icode:0; content:"AAAAAAAA"; fast_pattern; reference:url,lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407; reference:url,twitter.com/ihackbanme/status/1057811965945376768; classtype:attempted-user; sid:2026567; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2018_11_01, cve CVE_2018_4407, deployment Internal, confidence Medium, signature_severity Major, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 44818 (msg:"ET EXPLOIT Possible MicroLogix 1100 PCCC DoS Condition (CVE-2017-7924)"; flow:to_server,established; content:"|4b 02 20 67 24 01|"; content:"|a2|"; distance:0; content:"|05 47|"; distance:1; within:2; reference:cve,2017-7924; reference:url,rapid7.com/db/modules/auxiliary/dos/scada/allen_bradley_pccc; classtype:attempted-dos; sid:2026917; rev:1; metadata:created_at 2019_02_18, cve CVE_2017_7924, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2019_07_26, reviewed_at 2024_05_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M2"; flow:from_server,established; file_data; content:"|68546147567362474e765a4756425a475279554746795957|"; classtype:attempted-user; sid:2027070; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, cve CVE_2018_8174, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M1"; flow:from_server,established; file_data; content:"|4b464e6f5a5778735932396b5a55466b5a484a5159584a6862|"; classtype:attempted-user; sid:2027069; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, cve CVE_2018_8174, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2018-8174 Common Construct B64 M3"; flow:from_server,established; file_data; content:"|6f5532686c6247786a6232526c5157526b636c4268636d4674|"; classtype:attempted-user; sid:2027071; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_03_11, cve CVE_2018_8174, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert tcp any any -> any 3389 (msg:"ET EXPLOIT [NCC GROUP] Possible Bluekeep Inbound RDP Exploitation Attempt (CVE-2019-0708)"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|02 f0|"; distance:2; within:2; content:"|00 05 00 14 7c 00 01|"; within:512; content:"|03 c0|"; distance:3; within:384; content:"MS_T120|00|"; distance:6; within:372; nocase; fast_pattern; threshold: type limit, track by_src, count 2, seconds 600; reference:cve,CVE-2019-0708; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2019_05_rdp_cve_2019_0708.txt; classtype:attempted-admin; sid:2027369; rev:3; metadata:attack_target Client_and_Server, created_at 2019_05_21, deployment Perimeter, deployment Internet, deployment Internal, malware_family Bluekeep, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_07_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zoom Client Auto-Join (CVE-2019-13450)"; flow:established,to_client; file_data; content:"localhost|3a|19421/launch?action=join&confno="; reference:url,medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5; reference:cve,2019-13450; classtype:attempted-user; sid:2027696; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2019_07_10, cve CVE_2019_13450, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Informational, updated_at 2019_07_26;)

#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Urgent Flag"; flags:U+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027768; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_07_31, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2019_07_31;)

#alert tcp any any -> any any (msg:"ET EXPLOIT Possible VXWORKS Urgent11 RCE Attempt - Illegal Urgent Flag"; flags:SUF+; reference:url,armis.com/urgent11; reference:cve,2019-12255; reference:cve,2019-12260; reference:cve,2019-12261; reference:cve,2019-12263; classtype:attempted-admin; sid:2027770; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_01, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2019_08_01;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible CVE-2013-3906 CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php"; http_uri; content:"MyWebClient"; depth:11; http_user_agent; reference:url,alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; classtype:command-and-control; sid:2017671; rev:6; metadata:created_at 2013_11_06, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_08_15;)

alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:3; metadata:created_at 2014_04_08, cve CVE_2014_0160, signature_severity Major, updated_at 2019_08_16;)

alert tcp any any -> $HOME_NET !$HTTP_PORTS (msg:"ET EXPLOIT Malformed HeartBeat Request method 2"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_test:2,>,2,3; byte_test:2,>,200,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018374; rev:3; metadata:created_at 2014_04_08, cve CVE_2014_0160, signature_severity Major, updated_at 2019_08_16;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TLS HeartBeat Request (Server Initiated) fb set"; flow:established,from_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Request.SI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018375; rev:4; metadata:created_at 2014_04_09, cve CVE_2014_0160, signature_severity Major, updated_at 2019_08_16;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:5; metadata:created_at 2014_04_09, cve CVE_2014_0160, signature_severity Major, updated_at 2019_08_16;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.CI; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Response.CI; flowbits:unset,ET.HB.Request.CI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018377; rev:4; metadata:created_at 2014_04_09, cve CVE_2014_0160, confidence Medium, signature_severity Major, updated_at 2019_08_16;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response (Server Init Vuln Client)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.SI; flowbits:isnotset,ET.HB.Response.SI; flowbits:set,ET.HB.Response.SI; flowbits:unset,ET.HB.Request.SI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018378; rev:6; metadata:created_at 2014_04_09, cve CVE_2014_0160, confidence Medium, signature_severity Major, updated_at 2019_08_16;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)"; flow:established,from_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018383; rev:9; metadata:created_at 2014_04_11, cve CVE_2014_0160, confidence Medium, signature_severity Major, updated_at 2019_08_16;)

alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; byte_test:1,<,4,0,relative; content:"|00 03 01|"; distance:1; within:3; byte_test:2,>,150,0,relative; isdataat:!18,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018388; rev:3; metadata:created_at 2014_04_15, cve CVE_2014_0160, confidence Medium, signature_severity Major, updated_at 2019_08_16;)

alert tcp any any -> $HOME_NET [443,636,989,990,992,993,994,995,5061,25] (msg:"ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,0,relative; content:!"|00 03|"; distance:1; within:2; byte_extract:2,1,rec_len,relative; content:"|01|"; within:1; byte_test:2,>,150,0,relative; byte_test:2,>,rec_len,0,relative; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018389; rev:4; metadata:created_at 2014_04_15, cve CVE_2014_0160, confidence Medium, signature_severity Major, updated_at 2019_08_16;)

alert tcp $HOME_NET [21,25,110,143,443,465,587,636,989:995,5061,5222] -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,150,3; byte_test:2,<,17000,3; threshold:type limit,track by_dst,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018382; rev:9; metadata:created_at 2014_04_11, cve CVE_2014_0160, confidence Medium, signature_severity Major, updated_at 2019_08_16;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT M3U File Request Flowbit Set"; flow:to_server,established; content:"GET "; depth:4; content:".m3u"; http_uri; flowbits:set,ET.m3u.download; flowbits:noalert; classtype:not-suspicious; sid:2011241; rev:3; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 2"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"app="; nocase; content:"act="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/act\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012683; rev:6; metadata:created_at 2010_09_25, confidence High, signature_severity Major, updated_at 2019_08_22;)

#alert http $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:7; metadata:created_at 2010_09_25, confidence High, signature_severity Major, updated_at 2019_08_22;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound"; flow:established,to_server; content:"xc3511"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027973; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, signature_severity Major, updated_at 2019_09_09;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [554,9527] (msg:"ET EXPLOIT HiSilicon DVR - Default Application Backdoor Password"; flow:established,to_server; content:"I0TO5Wv9"; fast_pattern; reference:url,github.com/tothi/pwn-hisilicon-dvr; classtype:default-login-attempt; sid:2027974; rev:2; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2019_09_09;)

alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846)"; flow:established,to_server; content:"|16|"; depth:1; content:"|01|"; distance:4; within:1; content:"|5c 00|"; fast_pattern; distance:0; pcre:"/[\x20-\x7e]{5,}\x5c\x00[\x20-\x7e]{5,}/"; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027959; rev:2; metadata:created_at 2019_09_06, cve CVE_2019_15846, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2019_09_10;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hostile _dsgweed.class JAR exploit"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"_dsgweed.class"; classtype:trojan-activity; sid:2018031; rev:3; metadata:created_at 2014_01_28, signature_severity Major, updated_at 2019_09_27;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; nocase; http_uri; content:"hl="; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:5; metadata:created_at 2011_02_21, confidence Medium, signature_severity Major, updated_at 2019_09_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Edge Chakra.dll Type Confusion (CVE-2016-7200 CVE-2016-7201) B641"; flow:established,from_server; file_data; content:"VHJpZ2dlckZpbGxGcm9tUHJvdG90eXBlc0J1Z"; classtype:trojan-activity; sid:2023702; rev:3; metadata:affected_product Microsoft_Edge_Browser, attack_target Client_Endpoint, created_at 2017_01_06, cve CVE_2016_7200, deployment Perimeter, confidence Medium, signature_severity Critical, tag Exploit_Kit_Sundown, tag CISA_KEV, updated_at 2019_09_27;)

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible DOUBLEPULSAR Beacon Response"; flow:from_server,established; content:"|00 00 00 23 ff|SMB2|02 00 00 c0 98 07 c0 00 00|"; depth:18; content:"|00 00 00 08 ff fe 00 08|"; distance:8; within:8; fast_pattern; pcre:"/^[\x50-\x59]/R"; content:"|00 00 00|"; distance:1; within:3; endswith; classtype:trojan-activity; sid:2024216; rev:2; metadata:attack_target Client_Endpoint, created_at 2017_04_17, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag c2, updated_at 2019_09_28, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALROMANCE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18|"; offset:4; depth:10; content:"|07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08|"; fast_pattern; within:16; content:"|00 08|"; distance:2; within:2; content:"|0e 00 00 40 00|"; distance:2; within:5; content:"|00 00 00 00 00 00 01 00 00 00 00 00 00 00 00|"; distance:2; within:15; content:"|00 00 00 00 00 00 00 00 00|"; endswith; threshold: type threshold, track by_src, count 20, seconds 1; classtype:trojan-activity; sid:2024219; rev:2; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2019_09_28;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (MSF style)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00 18 01 28|"; offset:4; depth:12; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:2; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025649; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, confidence Medium, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT ETERNALBLUE Probe Vulnerable System Response MS17-010"; flow:from_server,established; content:"|ff|SMB|25 05 02 00 c0 98 01|"; offset:4; depth:11; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:3; within:10; content:"|00 00 00|"; distance:8; within:3; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025650; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_07_11, deployment Internal, confidence Medium, signature_severity Major, tag Metasploit, tag ETERNALBLUE, updated_at 2019_09_28;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE Probe MS17-010 (Generic Flags)"; flow:to_server,established; content:"|ff|SMB|25 00 00 00 00|"; offset:4; depth:9; content:"|00 00 00 00 00 00 00 00 00 00|"; distance:5; within:10; content:"|23 00 00 00 07 00 5c 50 49 50 45 5c 00|"; fast_pattern; endswith; threshold: type limit, track by_src, count 1, seconds 30; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb; classtype:trojan-activity; sid:2025992; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_08_15, deployment Perimeter, malware_family ETERNALBLUE, confidence Medium, signature_severity Major, updated_at 2019_09_28;)

alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible EXIM DoS (CVE-2019-16928)"; flow:established,to_server; content:"EHLO "; depth:5; isdataat:5000,relative; content:!"|0a|"; within:500; reference:cve,2019-16928; reference:url,bugs.exim.org/show_bug.cgi?id=2449; reference:url,git.exim.org/exim.git/patch/478effbfd9c3cc5a627fc671d4bf94d13670d65f; classtype:attempted-admin; sid:2028636; rev:3; metadata:attack_target SMTP_Server, created_at 2019_09_30, cve CVE_2019_16928, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2019_10_01;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java Exploit"; flow:established,to_client; file_data; flowbits:isset,ET.http.javaclient; content:"xploit.class"; nocase; fast_pattern; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, confidence Medium, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET EXPLOIT Exim/Dovecot Possible MAIL FROM Command Execution"; flow:to_server,established; content:"${IFS}"; fast_pattern; content:"mail from|3a|"; nocase; pcre:"/^[^\r\n]*?\x60[^\x60]*?\$\{IFS\}/R"; reference:url,redteam-pentesting.de/de/advisories/rt-sa-2013-001/-exim-with-dovecot-typical-misconfiguration-leads-to-remote-command-execution; classtype:attempted-admin; sid:2016835; rev:3; metadata:created_at 2013_05_08, confidence Medium, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible 2012-1533 altjvm RCE via JNLP command injection"; flow:established,from_server; file_data; content:"<jnlp"; nocase; content:"initial-heap-size"; nocase; content:"max-heap-size"; content:"-XXaltjvm"; nocase; fast_pattern; reference:cve,2012-1533; classtype:trojan-activity; sid:2017013; rev:3; metadata:created_at 2013_06_13, cve CVE_2012_1533, confidence Medium, signature_severity Major, updated_at 2019_10_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

#alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM WHMCS CURL Multi-part Boundary Issue"; flow:established,to_server; content:"POST"; http_method; content:"/rootpassword.php?"; http_uri; fast_pattern; content:"name=action"; content:"name=action"; distance:0; content:"name=action"; distance:0; reference:url,localhost.re/p/solusvm-whmcs-module-316-vulnerability; classtype:trojan-activity; sid:2017063; rev:4; metadata:created_at 2013_06_25, signature_severity Major, updated_at 2019_10_08;)

alert http $HOME_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 Access to solusvmc-node setuid bin"; flow:established,to_server; content:"solusvmc-node"; fast_pattern; pcre:"/\bsolusvmc-node\b/"; classtype:trojan-activity; sid:2017061; rev:4; metadata:created_at 2013_06_25, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Various Java Exploit Common Class name"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PayloadX.class"; nocase; fast_pattern; classtype:attempted-user; sid:2018500; rev:7; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_05_27, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 3"; flow:established,to_server; content:"/PMConfig.dat"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018587; rev:5; metadata:created_at 2014_06_20, signature_severity Major, updated_at 2019_10_08;)

alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful upload"; flow:to_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019090; rev:3; metadata:created_at 2014_08_29, signature_severity Major, updated_at 2019_10_08;)

alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi access attempt"; flow:to_server,established; dsize:4; content:"cmi|0a|"; fast_pattern; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019087; rev:5; metadata:created_at 2014_08_29, signature_severity Major, updated_at 2019_10_08;)

alert tcp any any -> any 873 (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys access attempt"; flow:to_server,established; content:"cmi/var/ssh/root/authorized_keys"; fast_pattern; flowbits:set,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019088; rev:4; metadata:created_at 2014_08_29, signature_severity Major, updated_at 2019_10_08;)

alert udp any 67 -> any 68 (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DHCP ACK"; content:"|02 01|"; depth:2; content:"|28 29 20 7b|"; fast_pattern; reference:url,access.redhat.com/articles/1200223; reference:cve,2014-6271; classtype:attempted-admin; sid:2019237; rev:5; metadata:created_at 2014_09_25, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert udp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; reference:cve,2014-6271; classtype:attempted-admin; sid:2019289; rev:4; metadata:created_at 2014_09_27, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_05_24;)

alert tcp any any -> $HOME_NET [5060,5061] (msg:"ET EXPLOIT Possible CVE-2014-6271 Attempt Against SIP Proxy"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; reference:url,github.com/zaf/sipshock; classtype:attempted-admin; sid:2019290; rev:3; metadata:created_at 2014_09_27, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Qmail CVE-2014-6271 Mail From attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^mail\s*?from\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b/mi"; reference:url,marc.info/?l=qmail&m=141183309314366&w=2; classtype:attempted-admin; sid:2019293; rev:3; metadata:created_at 2014_09_29, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert udp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019322; rev:3; metadata:created_at 2014_09_30, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert tcp any any -> $HOME_NET 1194 (msg:"ET EXPLOIT Possible OpenVPN CVE-2014-6271 attempt"; flow:to_server,established; content:"|20|"; depth:1; content:"|28 29 20 7b|"; fast_pattern; reference:url,news.ycombinator.com/item?id=8385332; classtype:attempted-admin; sid:2019323; rev:3; metadata:created_at 2014_09_30, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert tcp any any -> $HOME_NET 21 (msg:"ET EXPLOIT Possible Pure-FTPd CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b 20|"; fast_pattern; reference:url,gist.github.com/jedisct1/88c62ee34e6fa92c31dc; reference:cve,2014-6271; classtype:attempted-admin; sid:2019335; rev:2; metadata:created_at 2014_10_02, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 malicious DNS response"; byte_test:1,&,128,2; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019402; rev:2; metadata:created_at 2014_10_15, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert tcp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6271 exploit attempt via malicious DNS"; byte_test:1,&,128,4; content:"|28 29 20 7b|"; fast_pattern; reference:cve,2014-6271; reference:url,packetstormsecurity.com/files/128650; classtype:attempted-admin; sid:2019403; rev:2; metadata:created_at 2014_10_15, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name"; flow:to_client,established; file_data; content:"function"; pcre:"/^(?:\x25(?:25)*?20|\s)*?runmumaa\W/Rs"; content:"runmumaa"; fast_pattern; reference:cve,2014-6332; classtype:attempted-user; sid:2019733; rev:6; metadata:created_at 2014_11_18, cve CVE_2014_6332, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Targeted Attack from APT Actor Delivering HT SWF Exploit RIP"; flow:established,from_server; file_data; content:"|67 5f 6f 3d 69 65 56 65 72 73 69 6f 6e 28 29 3b|"; nocase; fast_pattern; content:"|67 65 74 42 69 74 73 28 29 3b|"; nocase; content:"var "; pcre:"/^\s*?(?P<var>[^=\s\x3b]+)\s*?=\s*?getBits\(\s*?\)\x3b.+?flashvars\s*?=\s*?\x5c\x22(?P=var)\s*?=\s*?\x22\s*?\+\s*?(?P=var)\s*?\+\s*?\x22\x5c\x22/Rsi"; classtype:targeted-activity; sid:2021405; rev:5; metadata:created_at 2015_07_13, confidence High, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Android Stagefright MP4 CVE-2015-1538 - Shell"; flow:established,from_server; file_data; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; content:"/system/bin/sh"; fast_pattern; reference:cve,2015-1538; reference:url,blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/; classtype:attempted-user; sid:2021757; rev:3; metadata:created_at 2015_09_10, cve CVE_2015_1538, confidence Medium, signature_severity Major, updated_at 2019_10_08;)

alert tcp any any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible Postfix CVE-2014-6271 attempt"; flow:to_server,established; content:"|28 29 20 7b|"; fast_pattern; pcre:"/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi"; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:5; metadata:created_at 2014_10_10, cve CVE_2014_6271, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (openUrlInDefaultBrowser)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/openUrlInDefaultBrowser?"; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022352; rev:3; metadata:created_at 2016_01_13, confidence Medium, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TrendMicro node.js HTTP RCE Exploit Inbound (showSB)"; flow:from_server,established; file_data; content:"XMLHttpRequest"; nocase; content:"|3a|49155/api/showSB?url="; fast_pattern; reference:url,code.google.com/p/google-security-research/issues/detail?id=693; classtype:attempted-user; sid:2022353; rev:3; metadata:created_at 2016_01_13, confidence Medium, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2"; flow:established,from_server; file_data; content:"redim"; nocase; fast_pattern; content:"Preserve"; nocase; content:"VBScript"; nocase; content:"chrw"; content:"32767"; distance:0; content:"chrw"; content:"2176"; distance:0; classtype:attempted-admin; sid:2022797; rev:3; metadata:created_at 2016_05_06, cve CVE_2014_6332, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LastPass RCE Attempt"; flow:from_server,established; file_data; content:"getBoundingClientRect"; nocase; content:"MouseEvent"; fast_pattern; content:"dispatchEvent"; nocase; pcre:"/^\s*\x28\s*new\s*MouseEvent\s*\x28\s*[\x22\x27]\s*click/Rsi"; content:"addEventListener"; nocase; pcre:"/^\s*\x28\s*[\x22\x27]\s*message/Rsi"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=884; classtype:trojan-activity; sid:2022989; rev:3; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2016_07_28, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2019_10_08;)

alert tcp any any -> $HOME_NET 3306 (msg:"ET EXPLOIT Possible MySQL cnf overwrite CVE-2016-6662 Attempt"; flow:established,to_server; content:"|03|"; offset:4; content:"global_log_dir"; nocase; distance:0; content:".cnf"; nocase; distance:0; content:"nmalloc_lib"; fast_pattern; reference:cve,2016-6662; reference:url,legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; classtype:attempted-admin; sid:2023202; rev:2; metadata:affected_product MySQL, attack_target Server, created_at 2016_09_13, cve CVE_2016_6662, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS Pegasus Safari Exploit (CVE-2016-4657)"; flow:established,from_server; file_data; content:"+="; pcre:"/^\s*?\x27try\s*?{}\s*?catch\x28e\x29\s*?{}\x3b/Rsi"; content:"Object"; pcre:"/^(?:\.|\[\s*?[\x22\x27])defineProperties\s*?\x28/Rsi"; content:"defineProperties"; fast_pattern; reference:cve,2016-4657; reference:url,blog.lookout.com/blog/2016/11/02/trident-pegasus-technical-details/; classtype:attempted-admin; sid:2023484; rev:3; metadata:affected_product iOS, affected_product Safari, attack_target Mobile_Client, created_at 2016_11_07, cve CVE_2016_4657, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 8880 (msg:"ET EXPLOIT IBM WebSphere - RCE Java Deserialization"; flow:to_server,established; content:"SOAPAction|3a 20||22|urn:AdminService|22|"; content:"<objectname xsi|3a|type=|22|ns1|3a|javax.management.ObjectName|22|>"; content:"vcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbn"; fast_pattern; reference:cve,2015-7450; classtype:attempted-user; sid:2024062; rev:3; metadata:affected_product IBM_Websphere, attack_target Server, created_at 2017_03_15, cve CVE_2015_7450, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2019_10_08;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)"; flow:established,to_server; content:"|2e|hta|0d 0a|"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.hta\r?\n/Ri"; classtype:bad-unknown; sid:2024434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_06_29, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag possible_exploitation, tag CISA_KEV, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,from_server; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024702; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_13, cve CVE_2017_8759, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock script retrieval"; flow:established,from_server; file_data; content:"|2f|share|2f|MD0_DATA|2f|optware|2f|.xpl|2f|"; fast_pattern; content:"unset HISTFIE"; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019905; rev:4; metadata:created_at 2014_12_10, cve CVE_2014_6271, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; nocase; fast_pattern; classtype:web-application-attack; sid:2101334; rev:11; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2019_10_08;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)"; flow:established,to_server; http.request_body; content:"|7b 22|jsonrpc|22 3a 22|"; startswith; content:"/getEnterpriseUser|22|"; distance:0; fast_pattern; content:",|22|params|22 3a 7b 22|id|22 3a|"; distance:0; pcre:"/^(?P<num_value>\d+)\x7d,\x22id\x22\x3a(?P=num_value)/R"; http.method; content:"POST"; reference:cve,2019-5533; classtype:attempted-admin; sid:2028928; rev:1; metadata:created_at 2019_10_31, cve CVE_2019_5533, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2019_10_31;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54G Version 3.1 Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|Basic|20|"; http.uri; content:"/apply.cgi"; startswith; http.request_body; content:"change_action=gozila_cgi"; fast_pattern; content:"submit_type=language"; content:"&ui_language="; pcre:"/^[(?:\x60|%60)(?:\x27|%27)]/R"; reference:url,nstarke.github.io/0034-linksys-wrt54g-v3.1-writeup.html; classtype:attempted-admin; sid:2029734; rev:1; metadata:created_at 2020_03_24, confidence High, signature_severity Major, updated_at 2020_03_24, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi?action=login&keyPath="; depth:47; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029804; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, cve CVE_2020_8515, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_04_03;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi?action=login&keyPath="; depth:47; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029805; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, cve CVE_2020_8515, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_04_03;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi"; endswith; http.request_body; content:"action=login&keyPath="; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029806; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, cve CVE_2020_8515, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_04_03;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/mainfunction.cgi"; endswith; http.request_body; content:"action=login&keyPath="; fast_pattern; content:"&loginUser="; distance:0; content:"&loginPwd="; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029807; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, cve CVE_2020_8515, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_04_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netlink GPON Remote Code Execution Attempt (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/boaform/admin/formPing"; fast_pattern; http.request_body; content:"target_addr=|3b|"; startswith; reference:url,blog.netlab.360.com/multiple-fiber-routers-are-being-compromised-by-botnets-using-0-day-en/; reference:url,www.exploit-db.com/exploits/48225; classtype:attempted-admin; sid:2029976; rev:2; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2020_04_20, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:to_server,established; http.uri; content:".asp|3A 3A 24|DATA"; nocase; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:15; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2020_04_20;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Remote Code Execution via NMAP Scan"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/restAPI/v2/nmap/run/scan/"; startswith; http.request_body; content:"form-data|3b 20|name=|22|ipAddress|22 0d 0a 0d 0a|--script="; fast_pattern; pcre:"/^\/(?:home\/a3user|root)\/agile3\/patches\//R"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029985; rev:1; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:38; content:"/albatross/eurekaservice/fetchLogFiles"; fast_pattern; http.content_type; bsize:16; content:"application/json"; http.request_body; content:"|22|logFileNameList|22 3a 22|../"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:trojan-activity; sid:2029990; rev:1; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_04_21;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; http.uri; content:".ida"; nocase; endswith; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101242; rev:14; metadata:created_at 2010_09_23, cve CVE_2000_0071, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .ida attempt"; flow:to_server,established; http.uri; content:".ida?"; nocase; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:2101243; rev:14; metadata:created_at 2010_09_23, cve CVE_2000_0071, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT administrators.pwd access"; flow:to_server,established; http.uri; content:"/administrators.pwd"; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:2100953; rev:10; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .htr access"; flow:to_server,established; http.uri; content:".htr"; nocase; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:2100987; rev:17; metadata:created_at 2010_09_23, cve CVE_2000_0630, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /iisadmpwd/aexp2.htr access"; flow:to_server,established; http.uri; content:"/iisadmpwd/aexp2.htr"; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:2101487; rev:13; metadata:created_at 2010_09_23, cve CVE_1999_0407, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:to_server,established; http.uri; content:"/msadc/samples/"; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:11; metadata:created_at 2010_09_23, cve CVE_1999_0736, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT CodeRed v2 root.exe access"; flow:to_server,established; http.uri; content:"/root.exe"; nocase; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:2101256; rev:11; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .idq access"; flow:to_server,established; http.uri; content:".idq"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101245; rev:13; metadata:created_at 2010_09_23, cve CVE_2000_0071, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT ISAPI .idq attempt"; flow:to_server,established; http.uri; content:".idq?"; nocase; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:2101244; rev:17; metadata:created_at 2010_09_23, cve CVE_2000_0071, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; http.header; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:12; metadata:created_at 2010_09_23, cve CVE_2003_0818, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT fpcount access"; flow:to_server,established; http.uri; content:"/fpcount.exe"; nocase; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:2101013; rev:12; metadata:created_at 2010_09_23, cve CVE_1999_1376, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT iisadmpwd attempt"; flow:to_server,established; http.uri; content:"/iisadmpwd/aexp"; nocase; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:2101018; rev:13; metadata:created_at 2010_09_23, cve CVE_1999_0407, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT iissamples access"; flow:to_server,established; http.uri; content:"/iissamples/"; nocase; reference:nessus,11032; classtype:web-application-attack; sid:2101402; rev:9; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT cmd? access"; flow:to_server,established; http.uri; content:".cmd?&"; nocase; classtype:web-application-attack; sid:2101003; rev:12; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .cmd executable file parsing attack"; flow:established,to_server; http.uri; content:".cmd|22|"; nocase; pcre:"/^.*?\x26/Ri"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:2103193; rev:6; metadata:created_at 2010_09_23, cve CVE_2000_0886, signature_severity Major, updated_at 2020_04_22;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT site/iisamples access"; flow:to_server,established; http.uri; content:"/site/iisamples"; nocase; reference:nessus,10370; classtype:web-application-activity; sid:2101046; rev:12; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2020_04_22;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; pcre:"/(?:\x0a|\\n)\/s1Caa6/"; content:"J1Ls9RWH"; fast_pattern; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030009; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_04_23;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://44449"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030010; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_04_23;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://84371"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030011; rev:1; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_04_23;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://87756"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030012; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_04_23;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"://94654"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030013; rev:1; metadata:affected_product iOS, attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_04_23;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarext32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarext32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016410; rev:4; metadata:created_at 2013_02_15, signature_severity Major, updated_at 2020_04_23;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Adobe PDF Zero Day Trojan.666 Payload libarhlp32.dll Second Stage Download POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.request_body; content:"lbarhlp32.blb"; reference:url,blog.fireeye.com/research/2013/02/the-number-of-the-beast.html; classtype:trojan-activity; sid:2016409; rev:4; metadata:created_at 2013_02_15, signature_severity Major, updated_at 2020_04_23;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI"; flow:to_server,established; http.uri; content:"java.lang.Runtime@getRuntime().exec("; nocase; classtype:attempted-user; sid:2016953; rev:4; metadata:created_at 2013_05_31, confidence Medium, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in client body"; flow:to_server,established; http.request_body; content:"memberAccess"; nocase; content:"allowStaticMethodAccess"; nocase; classtype:attempted-user; sid:2016954; rev:4; metadata:created_at 2013_06_01, confidence Medium, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL AllowStaticMethodAccess in URI"; flow:to_server,established; http.uri; content:"memberAccess"; nocase; content:"allowStaticMethodAccess"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016956; rev:4; metadata:created_at 2013_06_01, confidence Medium, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body"; flow:to_server,established; http.request_body; content:"java.lang.Runtime@getRuntime().exec("; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:4; metadata:created_at 2013_06_01, confidence Medium, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in client_body"; flow:to_server,established; http.request_body; content:"java.io.FileOutputStream"; nocase; content:".write"; distance:0; nocase; content:"sun.misc.BASE64Decoder"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016958; rev:4; metadata:created_at 2013_06_01, confidence Medium, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java WriteFile in URI"; flow:to_server,established; http.uri; content:"java.io.FileOutputStream"; nocase; content:".write"; distance:0; nocase; content:"sun.misc.BASE64Decoder"; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016959; rev:4; metadata:created_at 2013_06_01, confidence Medium, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder URI"; flow:to_server,established; http.uri; content:"java.lang.ProcessBuilder("; nocase; classtype:attempted-user; sid:2017172; rev:5; metadata:created_at 2013_07_24, confidence Medium, signature_severity Major, updated_at 2020_04_24;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java ProcessBuilder in client body"; flow:to_server,established; http.request_body; content:"java.lang.ProcessBuilder("; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2017173; rev:5; metadata:created_at 2013_07_24, confidence Medium, signature_severity Major, updated_at 2020_04_24;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT JavaX Toolkit Posting Plugin-Detect Data"; flow:established,to_server; http.uri; content:"/post.php?referanceMod="; nocase; content:"java"; nocase; reference:url,github.com/MrXors/Javax/; classtype:attempted-user; sid:2017730; rev:5; metadata:created_at 2013_11_20, signature_severity Major, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Zollard PHP Exploit UA"; flow:established,to_server; http.user_agent; content:"Zollard"; reference:url,deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:2017798; rev:3; metadata:created_at 2013_12_05, signature_severity Major, updated_at 2020_04_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 1"; flow:established,to_server; http.request_body; content:"Jm9zX2ZsYXZvcj"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017896; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 2"; flow:established,to_server; http.request_body; content:"Zvc19mbGF2b3I9"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017897; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 3"; flow:established,to_server; http.request_body; content:"mb3NfZmxhdm9yP"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2017898; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_12_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_04_27;)

alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass fw_sys_up.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/fw_sys_up.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018156; rev:3; metadata:created_at 2014_02_19, signature_severity Major, updated_at 2020_04_28;)

alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass override.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/override.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018157; rev:3; metadata:created_at 2014_02_19, signature_severity Major, updated_at 2020_04_28;)

alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass share_editor.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/share_editor.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018158; rev:3; metadata:created_at 2014_02_19, signature_severity Major, updated_at 2020_04_28;)

alert http $EXTERNAL_NET any -> $HOME_NET 8083 (msg:"ET EXPLOIT Linksys Auth Bypass switch_boot.cgi"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/cgi-bin/switch_boot.cgi"; nocase; reference:url,www.securityfocus.com/archive/1/531107; classtype:attempted-admin; sid:2018159; rev:4; metadata:created_at 2014_02_19, signature_severity Major, updated_at 2020_04_28;)

alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 4"; flow:established,to_server; http.uri; content:"/wsman/simple_auth.passwd"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018588; rev:5; metadata:created_at 2014_06_20, signature_severity Major, updated_at 2020_04_30;)

alert tcp any any -> any 4506 (msg:"ET EXPLOIT Possible Saltstack Authentication Bypass CVE-2020-11651 M1"; flow:established,to_server; content:"_prep_auth_info"; reference:url,labs.f-secure.com/advisories/saltstack-authorization-bypass; reference:cve,2020-11651; classtype:attempted-admin; sid:2030071; rev:1; metadata:affected_product Linux, created_at 2020_05_01, cve CVE_2020_11651, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert tcp any any -> any 4506 (msg:"ET EXPLOIT Possible SaltStack Authentication Bypass CVE-2020-11651 M2"; flow:established,to_server; content:"_send_pub"; reference:url,labs.f-secure.com/advisories/saltstack-authorization-bypass; reference:cve,2020-11651; classtype:attempted-admin; sid:2030072; rev:1; metadata:affected_product Linux, created_at 2020_05_01, cve CVE_2020_11651, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_05_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"AAAAAAAA"; content:"AAAAATEy"; content:"EA"; pcre:"/^(?:\\r\\n|\x0d\x0a)AABI/R"; content:"$|0e ce a0 d4 c7 cb 08|"; content:"T8hlGOo9"; content:"OKl2N"; pcre:"/^(?:\\r\\n|\x0d\x0a)C/R"; content:!"|0d 0a|/9j/4S"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030006; rev:3; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_05_01;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible iOS MobileMail OOB Write/Heap Overflow Exploit Email (Inbound)"; flow:established,to_server; content:"3r0TRZfh"; fast_pattern; content:"AAAAAAAA"; content:"|00 41 00 41 00 41 00 41|"; reference:url,blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/; classtype:attempted-admin; sid:2030008; rev:2; metadata:attack_target Mobile_Client, created_at 2020_04_23, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_05_01;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Netis E1+ 1.2.32533 - Unauthenticated WiFi Password Leak"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"//netcore_get.cgi"; depth:17; fast_pattern; http.cookie; content:"homeFirstShow=yes"; reference:url,www.exploit-db.com/exploits/48384; classtype:attempted-admin; sid:2030095; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_05_04, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_05_04;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT NEC SL2100 - Session Enumeration Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PyxisUaMenu.htm?sessionId="; startswith; pcre:"/^\d{3}/R"; content:"&MAINFRM|28|444,-1,591|29|"; distance:0; fast_pattern; threshold:type threshold, count 5, seconds 60, track by_dst; reference:url,www.exploit-db.com/exploits/48425; classtype:attempted-recon; sid:2030102; rev:2; metadata:attack_target Server, created_at 2020_05_05, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_05_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Image Manager 5.2.4 - RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"index.php?&p="; content:"/backup/uploadRestore"; endswith; fast_pattern; http.request_body; content:"<?"; reference:url,www.exploit-db.com/exploits/48423; classtype:attempted-admin; sid:2030103; rev:1; metadata:affected_product PHP, attack_target Server, created_at 2020_05_05, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_05_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT BlogEngine 3.3 - syndication.axd XXE Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/syndication.axd?apml="; fast_pattern; pcre:"/^(?:https?:\/\/|(\d{1,3}\.){3}\d{1,3}|([a-z0-9-]+\.)+[a-z]{1,8})/Ri"; reference:url,www.exploit-db.com/exploits/48422; classtype:attempted-admin; sid:2030106; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_05_05, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_05_05;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible MPC Sharj 3.11.1 - Arbitrary File Download Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download.php?id="; fast_pattern; pcre:"/^(?:==[A-Z0-9+/]{2}|=[A-Z0-9+/]{3}|[A-Z0-9+/]{4})(?:[A-Z0-9+/]{4})*$/Ri"; content:"L"; endswith; reference:url,www.exploit-db.com/exploits/48433; classtype:attempted-admin; sid:2030115; rev:1; metadata:attack_target Web_Server, created_at 2020_05_06, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_05_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Attempted D-Link ShareCenter (DNS-320/325) RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/system_mgr.cgi?cmd=cgi_sms_test&command1="; startswith; fast_pattern; reference:url,roberto.greyhats.it/advisories/20120208-dlink-rce.txt/; classtype:web-application-attack; sid:2030120; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2020_05_07, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_05_07;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT .cnf access"; flow:to_server,established; http.uri; content:"/_vti_pvt/"; fast_pattern; content:".cnf"; nocase; endswith; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100977; rev:15; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2020_05_08;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Oracle WebLogic CVE-2020-2551 Scanning"; flow:established,to_server; content:"|47 49 4f 50 01 02 00 03 00 00 00 17 00 00 00 02 00 00 00 00 00 00 00 0b 4e 61 6d 65 53 65 72 76 69 63 65|"; startswith; fast_pattern; reference:url,www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2020-2551; reference:url,github.com/hktalent/CVE-2020-2551/blob/master/CVE-2020-2551.py; classtype:attempted-admin; sid:2030128; rev:1; metadata:attack_target Server, created_at 2020_05_08, cve CVE_2020_2551, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_05_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin N750 Buffer Overflow Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/login.cgi"; http.request_body; content:"GO=&jump="; depth:9; isdataat:1380,relative; reference:cve,CVE-2014-1635; reference:url,labs.integrity.pt/advisories/cve-2014-1635/; classtype:attempted-admin; sid:2019686; rev:4; metadata:created_at 2014_11_11, confidence High, signature_severity Major, updated_at 2020_05_13;)

alert http any [$HTTP_PORTS,7547] -> any any (msg:"ET EXPLOIT Possible Misfortune Cookie RomPager Server banner"; flow:established,from_server; flowbits:isset,ET.Misfortune_Cookie; http.server; content:"RomPager"; nocase; startswith; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020101; rev:3; metadata:created_at 2015_01_06, confidence Medium, signature_severity Major, updated_at 2020_05_14;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 4"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"b3NfbmFtZT"; depth:10; fast_pattern; pcre:"/^[A-Za-z0-9+/]{2}(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020751; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 5"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Jm9zX3ZlbmRvcj"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020752; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 6"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Zvc192ZW5kb3I9"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020753; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit Plugin-Detect Posting Data 7"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"mb3NfdmVuZG9yP"; reference:url,github.com/rapid7/metasploit-framework/wiki/How-to-write-a-browser-exploit-using-BrowserExploitServer; classtype:trojan-activity; sid:2020754; rev:3; metadata:affected_product Any, attack_target Client_and_Server, created_at 2015_03_26, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2020_05_19;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Motorola SBG900 Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/goformFOO/AlFrame?"; content:"/goformFOO/AlFrame?"; distance:0; content:"Gateway.Wan.dnsAddress1="; distance:0; reference:url,github.com/hkm/routerpwn.com/blob/master/index.html; classtype:attempted-admin; sid:2020861; rev:4; metadata:created_at 2015_04_08, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 1"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; content:"wan_dns1="; distance:0; content:"action_mode=apply"; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020862; rev:4; metadata:created_at 2015_04_08, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 2"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; content:"wan_dns1_x="; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020863; rev:4; metadata:created_at 2015_04_08, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/webcm?"; fast_pattern; content:"getpage="; distance:0; content:"&var|3a|lang="; http.uri.raw; content:"|2e 2e|/html/menus/menu2.html"; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020868; rev:5; metadata:created_at 2015_04_09, confidence Medium, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear WNDR Router DNS Change POST Request"; flow:to_server,established; urilen:26; http.method; content:"POST"; http.uri; content:"/apply.cgi?/BAS_update.htm"; http.request_body; content:"submit_flag=ether"; depth:17; fast_pattern; content:"&ether_dnsaddr1="; distance:0; nocase; content:"&Apply=Apply"; distance:0; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020859; rev:5; metadata:created_at 2015_04_08, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT N56U Router DNS Change GET Request 3"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/start_apply.htm?"; fast_pattern; content:"dnsserver="; distance:0; content:"&dnsserver2="; distance:0; reference:url,securityevaluators.com/knowledge/case_studies/routers/asus_rtn56u.php; classtype:attempted-admin; sid:2020871; rev:4; metadata:created_at 2015_04_09, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/basic/uiViewIPAddr="; fast_pattern; content:"&uiViewDns1Mark="; distance:0; content:"&uiViewDns2Mark="; distance:0; reference:url,pastebin.com/u0MRLmjp; classtype:attempted-admin; sid:2020872; rev:4; metadata:created_at 2015_04_09, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-link DI604 Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/prim.htm?"; depth:10; fast_pattern; nocase; content:"i00110004="; distance:0; content:"&i00110005="; distance:0; nocase; content:"&i00035007="; distance:0; nocase; reference:url,www.gnucitizen.org/blog/router-hacking-challenge; classtype:attempted-admin; sid:2020873; rev:4; metadata:created_at 2015_04_09, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Belkin G F5D7230-4 Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/setup_dns.stm?page=setup_dns"; content:"&dns1_1="; reference:url,www.gnucitizen.org/blog/holes-in-embedded-devices-authentication-bypass-pt-4; classtype:attempted-admin; sid:2020875; rev:4; metadata:created_at 2015_04_09, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR841N Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/LanDhcpServerRpm.htm?"; fast_pattern; content:"dhcpserver=1"; content:"&dnsserver="; content:"&Save="; reference:url,www.exploit-db.com/exploits/34584; classtype:attempted-admin; sid:2020878; rev:4; metadata:created_at 2015_04_09, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/Basic.tri?"; fast_pattern; content:"&dns0_0="; content:"&dns0_1="; reference:url,sebug.net/paper/Exploits-Archives/2008-exploits/0803-exploits/linksys-bypass.txt; classtype:attempted-admin; sid:2020879; rev:4; metadata:created_at 2015_04_09, signature_severity Major, updated_at 2020_05_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR750N DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/WanStaticIpCfgRpm.htm"; fast_pattern; content:"&dnsserver="; content:"&Save=Save"; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2020880; rev:4; metadata:created_at 2015_04_09, signature_severity Major, updated_at 2020_05_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Privilege Escalation Attempt M1 (encrypted token)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p/api/video.php"; endswith; http.request_body; content:"etc/config/.app_token"; fast_pattern; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030201; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_05_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Pre-Auth Local File Disclosure Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p/api/video.php"; endswith; fast_pattern; http.header; content:"QMS_SID="; http.request_body; content:"./../"; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030202; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_05_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Privilege Escalation Attempt M2 (plaintext token)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p/api/video.php"; endswith; http.request_body; content:"__thumb/ps.app.token"; fast_pattern; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030203; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_05_21;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT QNAP PhotoStation Authenticated Session Tampering Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"sysRequest.cgi"; endswith; http.request_body; content:"smtp_fw_update="; startswith; fast_pattern; content:"=<?"; distance:0; reference:url,medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05; classtype:attempted-admin; sid:2030204; rev:1; metadata:created_at 2020_05_21, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_05_21;)

alert tcp $HOME_NET [!$HTTP_PORTS,!445,!22] -> any any (msg:"ET EXPLOIT Malformed HeartBeat Response"; flow:established,from_server; flowbits:isset,ET.MalformedTLSHB; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018373; rev:5; metadata:created_at 2014_04_08, cve CVE_2014_0160, signature_severity Major, updated_at 2020_05_22;)

alert http any any -> any 8081 (msg:"ET EXPLOIT Websense Content Gateway submit_net_debug.cgi cmd_param Param Buffer Overflow Attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/submit_net_debug.cgi"; nocase; http.request_body; content:"cmd_param="; nocase; isdataat:500,relative; content:!"|0A|"; within:500; pcre:"/[\?\&]cmd_param=[^\&\r\n]{500}/si"; reference:cve,2015-5718; reference:url,seclists.org/fulldisclosure/2015/Aug/8; classtype:web-application-attack; sid:2021644; rev:4; metadata:created_at 2015_08_18, cve CVE_2015_5718, confidence High, signature_severity Major, updated_at 2020_05_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Appliance Unauthorized File Disclosure"; flow:established,to_server; http.uri; content:"/NEI_ModuleDispatch.php"; content:"module=NEI_AdvancedConfig"; distance:0; content:"&function=HapiGetFileContents"; fast_pattern; distance:0; http.uri.raw; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/i"; reference:url,www.exploit-db.com/exploits/38090/; classtype:trojan-activity; sid:2021756; rev:4; metadata:created_at 2015_09_10, signature_severity Major, updated_at 2020_06_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M1 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|sudo"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030237; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, cve CVE_2020_13448, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_06_02;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Authenticated QuickBox CE 2.5.5/Pro 2.1.8 RCE Attempt Inbound M2 (CVE-2020-13448)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?id=88&servicestart="; fast_pattern; content:"|3b|wget"; distance:0; reference:url,www.exploit-db.com/exploits/48536; reference:url,s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/; reference:cve,2020-13448; classtype:attempted-admin; sid:2030238; rev:1; metadata:attack_target Web_Server, created_at 2020_06_02, cve CVE_2020_13448, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_06_02;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WordPress Plugin BBPress 2.5 - Unauthenticated Priv Esc Attempt (CVE-2020-13693)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"user_login"; content:"user_pass"; distance:0; content:"|22|bbp_keymaster|22|"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/48534; reference:cve,2020-13693; classtype:attempted-admin; sid:2030239; rev:1; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2020_06_02, cve CVE_2020_13693, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_06_02;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,to_server; http.method; content:"PUT"; http.cookie; content:"vcloud_jwt="; startswith; http.request_body; content:"|3a|Host|3e 24 7b|"; content:".getDeclaredConstructors|28 29 5b|"; distance:0; fast_pattern; flowbits:set,ET.20203956; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030240; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, cve CVE_2020_3956, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_06_02;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Successful VMware Cloud Director RCE Attempt (CVE-2020-3956)"; flow:established,from_server; http.stat_code; content:"400"; http.response_body; content:"<Error"; content:"has|20|invalid|20|length|20|for"; fast_pattern; flowbits:isset,ET.20203956; reference:url,citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/; classtype:attempted-admin; sid:2030241; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2020_06_02, cve CVE_2020_3956, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_06_02;)

alert icmp $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Zephyr RTOS ICMPv4 Stack Buffer Overflow"; icode:0; dsize:>120; content:"|30 31 32 07 80|"; fast_pattern; content:"|00|"; endswith; reference:url,research.nccgroup.com/2020/05/26/research-report-zephyr-and-mcuboot-security-assessment/; classtype:bad-unknown; sid:2030242; rev:1; metadata:created_at 2020_06_02, deployment Perimeter, confidence Low, signature_severity Minor, updated_at 2020_06_02;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netgear Multiple Router Auth Bypass"; flow:to_server,established; http.uri; content:"/BRS_netgear_success.html"; depth:25; nocase; fast_pattern; reference:url,www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html; classtype:attempted-admin; sid:2021944; rev:3; metadata:created_at 2015_10_12, signature_severity Major, updated_at 2020_06_02;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Magento Directory Traversal Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/magmi-importer/web/"; fast_pattern; content:"download_file.php?file="; distance:0; http.uri.raw; content:"|2e 2e 2f|"; http.header_names; content:!"Referer|0d 0a|"; reference:url,threatpost.com/zero-day-in-magento-plugin-magmi-under-attack/115026/; classtype:trojan-activity; sid:2021951; rev:3; metadata:created_at 2015_10_15, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2020_06_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Archer C5 v4 (CVE-2019-7405)"; flow:established,to_server; http.uri; content:"/cgi/setPwd?pwd="; http.referer; bsize:14; content:"tplinkwifi.net"; fast_pattern; reference:cve,2019-7405; reference:url,securityintelligence.com/posts/tp-link-archer-router-vulnerability-voids-admin-password-can-allow-remote-takeover/; classtype:attempted-admin; sid:2029181; rev:3; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2019_12_17, cve CVE_2019_7405, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_06_08;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution"; flow:to_server,established; http.uri; content:"/upgrade_handle.php?cmd=writeuploaddir&uploaddir="; startswith; reference:url,blogs.securiteam.com/index.php/archives/3409; reference:cve,CVE-2017-18377; classtype:attempted-recon; sid:2024914; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_06_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276"; flow:to_server,established; urilen:19; http.method; content:"POST"; http.uri; content:"/ws/rest/v1/concept"; fast_pattern; http.request_body; content:"<string>"; content:"</string>"; distance:0; content:"<string>"; distance:0; content:"</string>"; distance:0; reference:url,www.rapid7.com/db/modules/exploit/multi/http/openmrs_deserialization; reference:cve,2018-19276; classtype:attempted-admin; sid:2030258; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, cve CVE_2018_19276, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_06_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Multiple Router RCE Routersploit"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/view/IPV6/ipv6networktool/traceroute/ping.php?text_target="; depth:59; fast_pattern; content:"&text_pingcount="; distance:0; content:"&text_packetsize="; distance:0; content:"|7c|"; distance:0; reference:url,github.com/threat9/routersploit/blob/master/routersploit/modules/exploits/routers/netsys/multi_rce.py; classtype:attempted-admin; sid:2030259; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_06_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Edimax Technology EW-7438RPn-v3 Mini 1.27 - Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/goform/mp"; fast_pattern; content:"command=%7C%7C+"; depth:15; reference:url,www.exploit-db.com/exploits/48318; classtype:attempted-admin; sid:2030260; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_06_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Technicolor TD5130.2 - Remote Command Execution"; flow:to_server,established; urilen:13; http.method; content:"POST"; http.uri; content:"/mnt_ping.cgi"; fast_pattern; http.request_body; content:"isSubmit=1&addrType=3&pingAddr=|3b|"; depth:32; reference:url,www.exploit-db.com/exploits/47651; classtype:attempted-admin; sid:2030261; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_06_08;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Xfinity Gateway - Remote Code Execution"; flow:to_server,established; urilen:48; http.method; content:"POST"; http.uri; content:"/actionHandler/ajax_network_diagnostic_tools.php"; fast_pattern; http.request_body; content:"test_connectivity=true&destination_address=www.comcast.net|20 7c 7c 20|"; depth:62; reference:url,www.exploit-db.com/exploits/40856; classtype:attempted-admin; sid:2030262; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_08, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_06_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fastweb Fastgate 0.00.81 - Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/status.cgi?cmd="; content:"&act=nvset&service=usb_remove&mount="; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/47654; classtype:attempted-admin; sid:2030276; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Multiple DLink Routers Remote Code Execution CVE-2019-16920"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/apply_sec.cgi"; http.request_body; content:"html_response_page=login_pic.asp&action=ping_test&ping_ipaddr="; fast_pattern; reference:cve,2019-16920; reference:url,www.fortinet.com/blog/threat-research/d-link-routers-found-vulnerable-rce; classtype:attempted-admin; sid:2030277; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, cve CVE_2019_16920, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netis WF2419 2.2.36123 - Remote Code Execution CVE-2019-19356"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin-igd/netcore_set.cgi"; http.request_body; content:"mode_name=netcore_set&tools_type=2&tools_ip_url=|7c|+"; fast_pattern; content:"&tools_cmd=1&net_tools_set=1&wlan_idx_num=0"; distance:0; reference:cve,2019-19356; reference:url,www.exploit-db.com/exploits/48149; classtype:attempted-admin; sid:2030278; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_10, cve CVE_2019_19356, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> any 62522 (msg:"ET EXPLOIT Cisco AnyConnect Path Traversal Priv Esc (CVE-2020-3153)"; flow:established,to_server; content:"OCSC"; depth:4; content:"vpndownloader.exe"; distance:0; content:"|5c 2e 2e 2f|dbghelp.dll"; fast_pattern; distance:0; reference:url,ssd-disclosure.com/ssd-advisory-cisco-anyconnect-privilege-elevation-through-path-traversal; reference:url,gist.github.com/ykoster/aeaa893d68adbc5004aa873b3290acd1; reference:cve,2020-3153; classtype:attempted-admin; sid:2030280; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_06_10, cve CVE_2020_3153, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_06_10, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ASUS RT-N56U/RT-AC66U Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/apply.cgi?current_page=Main_AdmStatus_Content.asp&next_page=Main_AdmStatus_Content.asp&next_host=&sid_list=FirewallConfig%3B&group_id=&modified=0&action_mode=+Refresh+&first_time=&action_script=&preferred_lang=EN&SystemCmd="; fast_pattern; content:"&action=Refresh"; distance:0; reference:url,www.ise.io/research/studies-and-papers/asus_rtn56u/; classtype:attempted-admin; sid:2030310; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Mi Router 3 Remote Code Execution CVE-2018-13023"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci/|3b|stok="; fast_pattern; content:"&sns=sns&grant=1&guest_user_id=guid&timeout="; distance:0; reference:url,blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09; reference:cve,2018-13023; classtype:attempted-admin; sid:2030311; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, cve CVE_2018_13023, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Mi TV Integration Remote Code Execution CVE-2018-16130"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci/|3b|stok="; fast_pattern; content:"/api/xqsmarthome/request_mitv?payload={"; distance:0; content:"$("; distance:0; reference:url,blog.securityevaluators.com/show-mi-the-vulns-exploiting-command-injection-in-mi-router-3-55c6bcb48f09; reference:cve,2018-16130; classtype:attempted-admin; sid:2030312; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, cve CVE_2018_16130, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_06_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LG SuperSign EZ CMS 2.5 Remote Code Execution CVE-2018-17173"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/qsr_server/device/getThumbnail?sourceUri="; fast_pattern; content:"'&targetUri="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2030317; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, cve CVE_2018_17173, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible D-Link Command Injection Attempt Inbound (CVE-2020-13782)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_ajax_explorer.sgi?action="; fast_pattern; content:"&path="; distance:0; content:"&where="; distance:0; content:"&en=|3b|"; distance:0; reference:url,unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers/; reference:cve,2020-13782; classtype:attempted-admin; sid:2030335; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_06_15, cve CVE_2020_13782, deployment Perimeter, deployment Internal, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_06_15, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Centreon 20.04 Authenticated RCE (CVE-2020-12688)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/main.get.php?p="; content:"&command_id="; distance:0; content:"&command_name=../"; distance:0; fast_pattern; content:"|3b|&command_line="; distance:0; reference:url,github.com/TheCyberGeek/Centreon-20.04; reference:cve,2020-12688; classtype:attempted-admin; sid:2030338; rev:1; metadata:attack_target Web_Server, created_at 2020_06_15, cve CVE_2020_12688, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_06_15;)

alert udp $EXTERNAL_NET any -> $HOME_NET 50001 (msg:"ET EXPLOIT AnyDesk UDP Discovery Format String (CVE-2020-13160)"; isdataat:16; content:"|3e d1|"; depth:2; byte_test:4,>,16,11,relative,big; pcre:"/^.{11}([\xC0-\xC1]|[\xF5-\xFF]|\xE0[\x80-\x9F]|\xF0[\x80-\x8F]|[\xC2-\xDF](?![\x80-\xBF])|[\xE0-\xEF](?![\x80-\xBF]{2})|[\xF0-\xF4](?![\x80-\xBF]{3})|(?<=[\x00-\x7F\xF5-\xFF])[\x80-\xBF]|(?<![\xC2-\xDF]|[\xE0-\xEF]|[\xE0-\xEF][\x80-\xBF]|[\xF0-\xF4]|[\xF0-\xF4][\x80-\xBF]|[\xF0-\xF4][\x80-\xBF]{2})[\x80-\xBF]|(?<=[\xE0-\xEF])[\x80-\xBF](?![\x80-\xBF])|(?<=[\xF0-\xF4])[\x80-\xBF](?![\x80-\xBF]{2})|(?<=[\xF0-\xF4][\x80-\xBF])[\x80-\xBF](?![\x80-\xBF]))/R"; reference:url,devel0pment.de/?p=1881; reference:cve,2020-13160; classtype:attempted-user; sid:2030348; rev:2; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2020_06_16, cve CVE_2020_13160, deployment Perimeter, performance_impact Significant, confidence High, signature_severity Major, updated_at 2020_06_16;)

#alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11896/CVE-2020-11898 Fragments inside IP-in-IP tunnel"; ip_proto:4; fragbits:M; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030385; rev:1; metadata:created_at 2020_06_22, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2020_06_22;)

#alert ipv6 any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11897 IPv6 deprecated RH Type 0 source routing attack"; decode-event:ipv6.rh_type_0; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030386; rev:1; metadata:created_at 2020_06_22, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2020_06_22;)

#alert ip any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11900 IP-in-IP tunnel Double-Free"; ip_proto:4; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030388; rev:1; metadata:created_at 2020_06_22, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2020_06_22;)

#alert icmp any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11902 ICMPv4 parameter problem with tunnel inside"; itype:12; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030389; rev:1; metadata:created_at 2020_06_22, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2020_06_22;)

#alert icmp any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-11910 anomalous ICMPv4 type 3,code 4 Path MTU Discovery"; itype:3; icode:4; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030390; rev:1; metadata:created_at 2020_06_22, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2020_06_22;)

#alert icmp any any -> any any (msg:"ET EXPLOIT Possible CVE-2020-1191 anomalous ICMPv4 Address Mask Reply message (type 18, code 0)"; itype:18; icode:0; reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030391; rev:1; metadata:created_at 2020_06_22, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2020_06_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DCS-930L Remote Command Execution attempt"; flow:to_server,established; urilen:17; http.method; content:"POST"; nocase; http.uri; content:"/setSystemCommand"; nocase; http.request_body; content:"SystemCommand="; nocase; reference:url,www.exploit-db.com/exploits/39437/; classtype:web-application-attack; sid:2022518; rev:3; metadata:created_at 2016_02_13, confidence Medium, signature_severity Major, updated_at 2020_06_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router Information Disclosure Exploit Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/data.ria?CfgType=get_homeCfg&file="; fast_pattern; depth:35; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022698; rev:3; metadata:created_at 2016_04_05, signature_severity Major, updated_at 2020_06_30, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 1 (ping)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webpost.cgi"; http.request_body; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 70 69 6e 67 22 2c 22 63 6d 64 22 3a 22 70 69 6e 67 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022700; rev:3; metadata:created_at 2016_04_05, confidence High, signature_severity Major, updated_at 2020_06_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Quanta LTE Router RDE Exploit Attempt 2 (traceroute)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/webpost.cgi"; http.request_body; content:"|7b 22 43 66 67 54 79 70 65 22 3a 22 74 72 61 63 65 72 74 22 2c 22 63 6d 64 22 3a 22 74 72 61 63 65 72 74 22 2c 22 75 72 6c 22 3a 22|"; fast_pattern; pcre:"/^[^\x22]*[\x24\x60]+/Ri"; reference:url,pierrekim.github.io/blog/2016-04-04-quanta-lte-routers-vulnerabilities.html; classtype:attempted-admin; sid:2022701; rev:4; metadata:created_at 2016_04_05, confidence High, signature_severity Major, updated_at 2020_06_30;)

alert http any any -> any any (msg:"ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1"; flow:established,to_server; http.uri; content:"/tmui/login.jsp"; depth:15; fast_pattern; content:"|3b|"; distance:0; reference:cve,2020-5902; reference:url,support.f5.com/csp/article/K52145254; classtype:attempted-admin; sid:2030469; rev:5; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_05, cve CVE_2020_5902, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Critical, tag CISA_KEV, updated_at 2020_07_08;)

alert http any any -> any any (msg:"ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M2"; flow:established,to_server; http.uri; content:"/hsqldb"; depth:7; fast_pattern; content:"|3b|"; distance:0; reference:cve,2020-5902; reference:url,www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/; reference:url,support.f5.com/csp/article/K52145254; classtype:attempted-admin; sid:2030483; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_07_08, cve CVE_2020_5902, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Critical, tag CISA_KEV, updated_at 2020_07_08;)

alert tcp $EXTERNAL_NET any -> $HOME_NET [9530,9527,23] (msg:"ET EXPLOIT Attempted HiSilicon DVR/NVR/IPCam RCE (Inbound)"; flow:established,to_server; dsize:21; content:"|15 4f 70 65 6e 54 65 6c 6e 65 74 3a 4f 70 65 6e 4f 6e 63 65 00|"; reference:url,github.com/Snawoot/hisilicon-dvr-telnet/blob/master/hs-dvr-telnet.c; reference:url,habr.com/en/post/486856/; classtype:attempted-admin; sid:2030487; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_07_09;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [9530,9527,23] (msg:"ET EXPLOIT Attempted HiSilicon DVR/NVR/IPCam RCE (Outbound)"; flow:established,to_server; dsize:21; content:"|15 4f 70 65 6e 54 65 6c 6e 65 74 3a 4f 70 65 6e 4f 6e 63 65 00|"; reference:url,github.com/Snawoot/hisilicon-dvr-telnet/blob/master/hs-dvr-telnet.c; reference:url,habr.com/en/post/486856/; classtype:attempted-admin; sid:2030488; rev:1; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2020_07_09, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_07_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potentially Malicious .cab Inbound (CVE-2020-1300)"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"MSCF"; startswith; content:"../../"; distance:0; fast_pattern; pcre:"/^[a-z0-9\-_\.\/]+\x00/Ri"; reference:url,www.thezdi.com/blog/2020/7/8/cve-2020-1300-remote-code-execution-through-microsoft-windows-cab-files; classtype:attempted-admin; sid:2030493; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_07_10, cve CVE_2020_1300, deployment Perimeter, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_07_10;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Authenticated Command Injection Inbound - Comtrend VR-3033 (CVE-2020-10173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"ping.cgi?pingIpAddress="; fast_pattern; content:"|3b|"; distance:0; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/; reference:cve,2020-10173; classtype:attempted-admin; sid:2030502; rev:1; metadata:attack_target Networking_Equipment, created_at 2020_07_13, cve CVE_2020_10173, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, updated_at 2020_07_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert tcp any 53 -> any any (msg:"ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M1 (CVE-2020-1350)"; flow:established,from_server; byte_test:2,>=,0xfeea,0; content:"|00 00 18|"; within:76; content:"|00 00 18|"; distance:12; within:64; fast_pattern; content:"|c0|"; distance:2; within:1; content:"|00 18|"; distance:1; within:2; reference:cve,2020-1350; reference:url,research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/; classtype:attempted-admin; sid:2030533; rev:4; metadata:affected_product Windows_DNS_server, created_at 2020_07_14, cve CVE_2020_1350, performance_impact Significant, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2020_07_16;)

alert tcp any any -> any 53 (msg:"ET EXPLOIT Possible Windows DNS Integer Overflow Attempt M2 (CVE-2020-1350)"; flow:established,to_server; byte_test:2,>=,0xfeea,0; content:"|00 00 18|"; within:76; fast_pattern; content:"|c0|"; distance:2; within:1; content:"|00 18|"; distance:1; within:2; reference:cve,2020-1350; reference:url,research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/; classtype:attempted-admin; sid:2030532; rev:4; metadata:affected_product Windows_DNS_server, created_at 2020_07_14, cve CVE_2020_1350, performance_impact Significant, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2020_07_16;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Vulnerable Response"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"urn:CTCWebServiceSi"; fast_pattern; flowbits:isset,ET.CVE20206287.1; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-recon; sid:2030577; rev:1; metadata:created_at 2020_07_22, cve CVE_2020_6287, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_07_22;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<baData>PHJvb3Q+ICA8dXNlcj4"; fast_pattern; flowbits:set,ET.CVE20206287.2; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-admin; sid:2030578; rev:1; metadata:created_at 2020_07_22, cve CVE_2020_6287, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_07_22;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Exploit Success"; flow:established,from_server; http.stat_code; content:"200"; http.response_body; content:"urn:CTCWebServiceSi"; fast_pattern; content:"Add|20|user|20|success"; distance:0; flowbits:isset,ET.CVE20206287.2; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-admin; sid:2030579; rev:1; metadata:created_at 2020_07_22, cve CVE_2020_6287, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_07_22;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP NetWeaver CVE-2020-6287 Probe"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CTCWebService/CTCWebServiceBean"; fast_pattern; flowbits:set,ET.CVE20206287.1; reference:url,github.com/duc-nt/CVE-2020-6287-exploit; reference:cve,2020-6287; classtype:attempted-recon; sid:2030576; rev:2; metadata:created_at 2020_07_22, cve CVE_2020_6287, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_07_22;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read  (CVE-2020-3452) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/+CSCO"; fast_pattern; content:"=.."; distance:0; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030585; rev:1; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, cve CVE_2020_3452, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_07_23;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Attempted Netgear Buffer Overflow into RCE Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade_check.cgi"; bsize:18; http.content_len; byte_test:0,>,4000,0,string,dec; http.request_body; content:"mknod|20 2f|dev/ptyp"; fast_pattern; reference:url,github.com/grimm-co/NotQuite0dayFriday/blob/master/2020.06.15-netgear/exploit.py; classtype:attempted-admin; sid:2030630; rev:1; metadata:affected_product Netgear_Router, created_at 2020_07_31, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, updated_at 2020_07_31;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Attempted Netgear Buffer Overflow into RCE Inbound M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upgrade_check.cgi"; bsize:18; fast_pattern; http.content_len; byte_test:0,>,1000,0,string,dec; http.request_body; content:"/bin/"; reference:url,github.com/grimm-co/NotQuite0dayFriday/blob/master/2020.06.15-netgear/exploit.py; classtype:attempted-admin; sid:2030631; rev:1; metadata:affected_product Netgear_Router, created_at 2020_07_31, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, updated_at 2020_07_31;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution"; flow:established,to_server; http.method; content:"POST"; http.header; content:"SOAPAction|3a|"; content:"http|3a|//purenetworks.com/HNAP1/"; fast_pattern; pcre:"/^SOAPAction\x3a\s+?[^\r\n]*?http\x3a\/\/purenetworks\.com\/HNAP1\/([^\x2f]+?[\x2f])?[^\x2f]/mi"; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; reference:cve,2016-6563; classtype:attempted-admin; sid:2020899; rev:5; metadata:created_at 2015_04_13, cve CVE_2016_6563, confidence Medium, signature_severity Major, updated_at 2020_08_03;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear R7000 Command Injection Exploit"; flow:established,to_server; http.uri; content:"/cgi-bin/"; depth:9; content:"$IFS"; fast_pattern; distance:0; content:"|3b|"; reference:url,www.kb.cert.org/vuls/id/582384; classtype:attempted-user; sid:2023628; rev:3; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, created_at 2016_12_12, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_03, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2016-10033 PHPMailer RCE Attempt"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<?php"; fast_pattern; content:"|5c 22 20|"; content:"-X"; content:".php"; content:"@"; http.content_type; content:"multipart/form-data|3b|"; startswith; reference:url,legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html; reference:url,github.com/opsxcq/exploit-CVE-2016-10033; classtype:attempted-user; sid:2023686; rev:3; metadata:affected_product PHPMailer, attack_target Web_Server, created_at 2016_12_27, cve CVE_2016_10033, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_03;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK DNS Change GET Request (DNSChanger EK)"; flow:to_server,established; threshold:type both,track by_dst,count 3, seconds 90; http.method; content:"GET"; http.uri; content:"/userRpm/"; depth:9; fast_pattern; content:"&dnsserver="; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023995; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_17, deployment Internet, performance_impact Moderate, signature_severity Major, updated_at 2020_08_04;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link Archer C2 and Archer C20i Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi?"; nocase; http.header; content:"/mainFrame.htm"; http.request_body; content:"IPPING"; nocase; content:"X_TP_ConnName=ewan_ipoe_s"; fast_pattern; reference:url,github.com/reverse-shell/routersploit/blob/master/routersploit/modules/exploits/tplink/archer_c2_c20i_rce.py; classtype:command-and-control; sid:2024191; rev:3; metadata:affected_product TPLINK, attack_target Client_Endpoint, created_at 2017_04_07, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible EXPLODINGCAN IIS5.0/6.0 Exploit Attempt"; flow:to_server,established; urilen:1; http.method; content:"PROPFIND"; http.header; content:"Content-Length|3a 20|0|0d 0a|Host|3a 20|"; depth:25; content:"|0d 0a|If|3a 20|<http"; fast_pattern; classtype:trojan-activity; sid:2024222; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2017_04_18, deployment Perimeter, confidence Medium, signature_severity Critical, tag possible_exploitation, updated_at 2020_08_05;)

alert http any any -> $HOME_NET 8082 (msg:"ET EXPLOIT BlueCoat CAS v1.3.7.1 Report Email Command Injection attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/report-email/send"; nocase; http.request_body; content:"/dev-report-overview.html"; nocase; content:"|3B|"; distance:0; pcre:"/\/dev-report-overview\.html[^\"]*?\x3b/i"; reference:cve,2016-9091; reference:url,www.exploit-db.com/exploits/41785/; reference:url,bto.bluecoat.com/security-advisory/sa138; classtype:web-application-attack; sid:2024234; rev:3; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2017_04_21, cve CVE_2016_9091, deployment Internal, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2020_08_05, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> $HOME_NET [16992,16993,623,664] (msg:"ET EXPLOIT Intel AMT Login Attempt Detected (CVE 2017-5689)"; flow:to_server,established; http.header; content:"Authorization|3a 20|Digest"; content:"username=|22|"; content:"response="; fast_pattern; pcre:"/^\s*\x22{2}/R"; reference:url,mjg59.dreamwidth.org/48429.html; reference:url,www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability; reference:cve,2017-5689; classtype:attempted-admin; sid:2024287; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_10, cve CVE_2017_5689, deployment Internal, performance_impact Moderate, signature_severity Major, updated_at 2020_08_06;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible SharePoint XSS (CVE-2017-8514) Inbound"; flow:to_server,established; http.uri; content:"FollowSite="; nocase; fast_pattern; content:"SiteName="; nocase; content:"-confirm"; nocase; distance:0; reference:url,respectxss.blogspot.fr/2017/06/a-look-at-cve-2017-8514-sharepoints.html; classtype:attempted-user; sid:2024412; rev:3; metadata:affected_product HTTP_Server, attack_target Server, created_at 2017_06_19, cve CVE_2017_8514, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2020_08_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TeamViewer .tvs iFrame Observed (CVE-2020-13699)"; flow:established,from_server; http.response_body; content:"<iframe|20|"; content:"|20|src="; distance:0; pcre:"/^[\x22\x27]t(?:eamviewer(\d+|api)|v(c(hat|ontrol)|filetransfer|joinv|present|s(endfile|q(customer|support))|v(ideocall|pn))\d)/R"; content:"|3a 20|--play"; distance:0; fast_pattern; content:".tvs"; distance:0; reference:url,www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/; classtype:attempted-admin; sid:2030668; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_08_10, cve CVE_2020_13699, deployment Perimeter, confidence High, signature_severity Major, tag Teamviewer, updated_at 2020_08_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|7b 5c 72 74|"; distance:1; content:"|7b 5c|"; distance:0; content:"|7b 5c|"; distance:0; classtype:trojan-activity; sid:2024192; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2"; flow:established,from_server; http.content_type; content:"application/hta"; bsize:15; file.data; content:"|2e 65 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 41 50 50 44 41 54 41 25 22 29 20|"; content:"|4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 5c|"; classtype:trojan-activity; sid:2024193; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; urilen:7; http.method; content:"GET"; nocase; http.uri; content:"/status"; fast_pattern; http.header; content:"Host|3a|"; nocase; content:"|3b|"; within:50; distance:0; pcre:"/^Host\x3a[^\n]{0,50}?\x3b/mi"; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:2024548; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2017_08_14, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2020_08_11;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)"; flow:to_server,established; http.request_body; content:"java.lang.ProcessBuilder"; nocase; fast_pattern; content:"<command"; nocase; distance:0; pcre:"/^[\s>]/Rs"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024663; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_06, cve CVE_2017_9805, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2020_08_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (Runtime.Exec)"; flow:to_server,established; http.request_body; content:"java.lang.Runtime"; nocase; fast_pattern; content:".exec"; distance:0; content:"<command"; nocase; distance:0; pcre:"/^[\s>]/Rs"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024664; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_06, cve CVE_2017_9805, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2020_08_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"eXNvc2VyaWFsL"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024668; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, cve CVE_2017_9805, deployment Datacenter, signature_severity Critical, tag possible_exploitation, tag CISA_KEV, updated_at 2020_08_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"lzb3NlcmlhbC"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024669; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, cve CVE_2017_9805, deployment Datacenter, signature_severity Critical, tag possible_exploitation, tag CISA_KEV, updated_at 2020_08_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin ysoserial Usage (B64) 3"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"5c29zZXJpYWwv"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024670; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, cve CVE_2017_9805, deployment Datacenter, signature_severity Critical, tag possible_exploitation, tag CISA_KEV, updated_at 2020_08_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 4"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"|79 76 36 36 76|"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024671; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, cve CVE_2017_9805, deployment Datacenter, signature_severity Critical, tag CISA_KEV, updated_at 2020_08_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 5"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"|72 2b 75 72|"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024672; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, cve CVE_2017_9805, deployment Datacenter, signature_severity Critical, tag CISA_KEV, updated_at 2020_08_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (B64) 6"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"|4b 2f 72 71 2b|"; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024673; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, cve CVE_2017_9805, deployment Datacenter, signature_severity Critical, tag CISA_KEV, updated_at 2020_08_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (Runtime.Exec)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"java.lang.Runtime"; nocase; fast_pattern; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024674; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, cve CVE_2017_9805, deployment Datacenter, signature_severity Critical, tag CISA_KEV, updated_at 2020_08_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin (ProcessBuilder)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/struts2-rest-showcase/orders/3"; http.request_body; content:"java.lang.ProcessBuilder"; nocase; fast_pattern; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024675; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_07, cve CVE_2017_9805, deployment Datacenter, signature_severity Critical, tag CISA_KEV, updated_at 2020_08_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Exploit HFS Actor"; flow:established,from_server; http.server; content:"HFS"; startswith; file.data; content:"triggerBug"; nocase; fast_pattern; content:"exploit"; nocase; content:"intToStr"; nocase; content:"strToInt"; nocase; classtype:trojan-activity; sid:2024677; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_07, cve CVE_2016_0189, deployment Perimeter, signature_severity Critical, tag CISA_KEV, updated_at 2020_08_12;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP POST)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"newcollection/config"; http.request_body; content:"|22|add-listener|22|"; content:"|22|event|22 3a 22|postCommit|22|"; content:"|22|class|22|"; content:"RunExecutableListener|22 2c|"; fast_pattern; content:"|22|exe|22|"; content:"|22|dir|22|"; content:"|22|args|22|"; http.content_type; content:"application/json"; startswith; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024884; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, cve CVE_2017_12629, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2020_08_13;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 XXE Exploit Attempt (URI)"; flow:to_server,established; flowbits:set,ET.CVE-2017-12629; http.uri; content:"?q=|7b 21|xmlparser"; content:"|3d 27 3c 21|DOCTYPE"; nocase; distance:0; fast_pattern; pcre:"/^(?:(?!\x0d\x0a).)+\x22(?:https?|file):\x2f\x2f/R"; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024885; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, cve CVE_2017_12629, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2020_08_13;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 1)"; flow:to_server,established; flowbits:isset,ET.CVE-2017-12629; http.method; content:"GET"; http.uri; content:"newcollection/config"; content:"|22|add-listener|22 3a|"; distance:0; content:"|22|event|22 3a 22|postCommit|22|"; distance:0; content:"|22|class|22|"; distance:0; content:"RunExecutableListener|22 2c 22|exe|22|"; distance:0; fast_pattern; content:"|22|dir|22|"; content:"|22|args|22|"; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024886; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, cve CVE_2017_12629, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2020_08_13;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 RCE Exploit Attempt (HTTP GET 2)"; flow:to_server,established; flowbits:isset,ET.CVE-2017-12629; http.method; content:"GET"; http.uri; content:"?q="; content:"update?"; distance:0; content:"stream.body="; content:"commit="; content:"overwrite="; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024887; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, cve CVE_2017_12629, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2020_08_13;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link 850L Password Extract Attempt"; flow:to_server,established; urilen:11; http.method; content:"POST"; http.uri; content:"/hedwig.cgi"; fast_pattern; http.request_body; content:"DEVICE.ACCOUNT"; reference:url,blogs.securiteam.com/index.php/archives/3364; classtype:attempted-recon; sid:2024913; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, signature_severity Major, updated_at 2020_08_13;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Vacron NVR Remote Command Execution"; flow:to_server,established; http.uri; content:"/board.cgi?cmd="; depth:15; reference:url,blogs.securiteam.com/index.php/archives/3445; classtype:attempted-recon; sid:2024915; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_08_13;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN Remote Command Execution"; flow:to_server,established; http.uri; content:"/setup.cgi?next_file="; nocase; content:"&todo=syscmd&cmd="; nocase; distance:0; content:"currentsetting.htm"; nocase; fast_pattern; reference:url,seclists.org/bugtraq/2013/Jun/8; classtype:attempted-recon; sid:2024916; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_08_13;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Unauthenticated Command Injection in DVR Devices"; flow:to_server,established; http.uri; content:"/Search.cgi?action=cgi_query"; nocase; fast_pattern; content:"&username="; nocase; distance:0; content:"&password="; nocase; distance:0; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024917; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, confidence Low, signature_severity Major, updated_at 2020_08_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/CloudSetup.cgi?exefile="; nocase; depth:43; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024918; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, signature_severity Major, updated_at 2020_08_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in adcommand.cgi"; urilen:33; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi-bin/supervisor/adcommand.cgi"; nocase; fast_pattern; http.request_body; content:"DoShellCmd"; nocase; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024919; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_08_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in PwdGrp.cgi"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/PwdGrp.cgi?action="; nocase; depth:38; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024920; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, signature_severity Major, updated_at 2020_08_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> any any (msg:"ET EXPLOIT Netgear passwordrecovered.cgi attempt"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/passwordrecovered.cgi?id="; nocase; reference:url,www.securityfocus.com/archive/1/530743/30/0/threaded; reference:url,www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911; reference:cve,2017-5521; classtype:attempted-admin; sid:2017969; rev:5; metadata:created_at 2014_01_15, cve CVE_2017_5521, signature_severity Major, updated_at 2020_08_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXELs ZynOS Configuration Download Attempt (Contains Passwords)"; flow:established,to_server; urilen:6; http.uri; content:"/rom-0"; nocase; reference:url,www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf; classtype:attempted-admin; sid:2018232; rev:4; metadata:created_at 2014_03_08, confidence Medium, signature_severity Major, updated_at 2020_08_18;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"ET EXPLOIT Computer Associates Brightstor ARCServer Backup RPC Server (Catirpc.dll) DoS"; content:"|00 00 00 00|"; offset:4; depth:4; content:"|00 00 00 03|"; distance:8; within:4; content:"|00 00 00 08|"; within:4; content:"|00 00 00 00|"; within:4; content:"|00 00 00 00|"; distance:4; within:4; content:"|00 00 00 00 00 00 00 00|"; distance:8; within:32; reference:url,www.milw0rm.com/exploits/3248; classtype:attempted-dos; sid:2003370; rev:4; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2020_08_20;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"ET EXPLOIT HP-UX Printer LPD Command Insertion"; flow:established,to_server; content:"|02|msf28|30|"; depth:7; content:"|60|"; within:20; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-user; sid:2002852; rev:6; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2020_08_20;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 2967:2968 (msg:"ET EXPLOIT Symantec Remote Management RTVScan Exploit"; flow:established,to_server; content:"|10|"; depth:2; content:"|00 24 00|"; within:20; content:"|5c|"; distance:0; isdataat:380,relative; reference:cve,2006-3455; reference:url,research.eeye.com/html/advisories/published/AD20060612.html; classtype:attempted-admin; sid:2003250; rev:5; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2020_08_20;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 1"; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; within:50; content:"|FE FF|"; within:50; content:"|FE|"; byte_test:1,>,11,0,relative; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012154; rev:3; metadata:created_at 2011_01_06, confidence Medium, signature_severity Major, updated_at 2020_08_20;)

#alert udp $EXTERNAL_NET any -> $HOME_NET 3333 (msg:"ET EXPLOIT Wireshark ENTTEC DMX Data Processing Code Execution Attempt 2"; content:"|FE|"; byte_test:1,>,11,0,relative; content:"|45 53 44 44|"; depth:4; content:"|04|"; distance:2; within:1; content:"|FE FF|"; within:50; content:"|FE FF|"; within:50; reference:url,www.exploit-db.com/exploits/15898/; reference:bid,45634; classtype:attempted-user; sid:2012155; rev:3; metadata:created_at 2011_01_06, signature_severity Major, updated_at 2020_08_20;)

#alert http $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"|0d 0a 0d 0a 3c 3f|xml|20|version"; nocase; content:"|3c|methodCall|3e|"; distance:0; content:"|3c|methodName|3e|"; within:25; content:"|3c|params|3e|"; content:"|3c 2f|value|3e|"; within:400; content:"|3c|param| 3e|"; distance:0; content:"|3c|value|3e|"; within:50; content:"|3c|string|3e|"; content:"|27|"; within:50; content:"|3b|"; within:10; content:"|3b|"; content:"|27|"; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:4; metadata:created_at 2010_12_27, signature_severity Major, updated_at 2020_08_20, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PCMan FTP Server 2.0.7 Remote Command Execution"; flow:to_server,established; content:"|65 82 a5 7c|"; fast_pattern; content:"|90 90 90 90 90|"; within:10; reference:url,exploit-db.com/exploits/36078; classtype:attempted-admin; sid:2020585; rev:3; metadata:created_at 2015_03_03, confidence Medium, signature_severity Major, updated_at 2020_08_19;)

alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible Exim 4.87-4.91 RCE Attempt Inbound (CVE-2019-10149)"; flow:established,to_server; content:"RCPT|20|TO"; content:"|24 7b|run|7b|"; within:12; fast_pattern; content:"|7d 7d 40|"; distance:0; reference:url,www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt; classtype:attempted-admin; sid:2027442; rev:4; metadata:attack_target SMTP_Server, created_at 2019_06_07, cve CVE_2019_10149, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"routestring"; fast_pattern; content:"ajax"; within:100; content:"render"; within:9; content:"widget_php"; within:13; content:"widgetConfig"; nocase; content:"code"; within:7; content:"echo"; distance:0; nocase; content:"shell_exec"; nocase; within:13; reference:url,seclists.org/fulldisclosure/2019/Sep/31; classtype:attempted-admin; sid:2028621; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_09_25, cve CVE_2019_16759, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"routestring"; fast_pattern; content:"ajax"; within:7; content:"render"; within:9; content:"widget_php"; within:13; http.request_body; content:"widgetConfig"; nocase; content:"code"; within:7; content:"echo"; distance:0; nocase; content:"shell_exec"; nocase; within:13; reference:url,seclists.org/fulldisclosure/2019/Sep/31; reference:url,unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/; classtype:attempted-admin; sid:2028825; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_10_14, cve CVE_2019_16759, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT vBulletin 5.x Unauthenticated Remote Code Execution (CVE-2019-16759) M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?routestring"; fast_pattern; content:"ajax"; within:7; content:"render"; within:9; content:"widget_php"; within:13; content:"&widgetConfig"; nocase; content:"code"; within:7; content:"echo"; distance:0; nocase; content:"shell_exec"; nocase; within:13; reference:url,seclists.org/fulldisclosure/2019/Sep/31; reference:url,unit42.paloaltonetworks.com/exploits-in-the-wild-for-vbulletin-pre-auth-rce-vulnerability-cve-2019-16759/; classtype:attempted-admin; sid:2028826; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_10_14, cve CVE_2019_16759, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT UCM6202 1.0.18.13 - Remote Command Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=sendPasswordEmail&user_name="; startswith; fast_pattern; content:"|27|"; within:40; content:"|60 3b 60|"; within:100; reference:url,www.exploit-db.com/exploits/48247; classtype:attempted-admin; sid:2030206; rev:2; metadata:created_at 2020_05_22, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; fast_pattern; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:13; metadata:created_at 2010_09_23, signature_severity Major, updated_at 2022_03_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M1"; flow:established,from_server; file_data; content:"%u0008%u4141%u4141%u4141"; nocase; content:"redim"; nocase; content:"Preserve"; content:"2000"; distance:0; pcre:"/^\s*?\x29/Rs"; content:"%u400C%u0000%u0000%u0000"; nocase; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022971; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, cve CVE_2016_0189, deployment Perimeter, performance_impact Low, signature_severity Major, tag CVE_2016_0189, tag CISA_KEV, updated_at 2020_08_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2016-0189 Common Construct M2"; flow:established,from_server; file_data; content:"triggerBug"; nocase; content:"Dim "; nocase; distance:0; content:".resize"; nocase; pcre:"/^\s*\x28/Rs"; content:"Mid"; pcre:"/^\s*?\(x\s*,\s*1,\s*24000\s*\x29/Rs"; reference:url,theori.io/research/cve-2016-0189; reference:cve,2016-0189; classtype:attempted-user; sid:2022972; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_15, cve CVE_2016_0189, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_08_19;)

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe ff 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018560; rev:3; metadata:created_at 2014_06_13, cve CVE_2014_0195, confidence Medium, signature_severity Major, updated_at 2020_08_19, reviewed_at 2024_03_07;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ECLIPSEDWING RPCTOUCH MS08-067"; flow:to_server,established; content:"|ff|SMB|2f 00 00 00 00|"; offset:4; depth:9; content:"NTLMSSP|00 03 00 00 00 01 00 01 00|"; distance:0; fast_pattern; content:"|00 00 00 00 49 00 00 00|"; distance:4; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 48 00 00 00|"; within:8; content:"|00 00 00 00 49 00 00 00|"; within:8; content:"|00 00 00 00 00 00 00 00 00|"; distance:4; within:9; endswith; classtype:trojan-activity; sid:2024214; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2020_08_19;)

alert udp any any -> $HOME_NET 50000 (msg:"ET EXPLOIT Win32/Industroyer DDOS Siemens SIPROTEC (CVE-2015-5374)"; dsize:18; content:"|11 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 9E|"; fast_pattern; reference:url,www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf; classtype:attempted-dos; sid:2024376; rev:3; metadata:attack_target Client_and_Server, created_at 2017_06_12, cve CVE_2015_5374, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_19;)

alert ftp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL Over FTP"; flow:established,from_server; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024729; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_09_20, cve CVE_2017_8759, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2020_08_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/adv,/cgi-bin/weblogin.cgi?username="; startswith; fast_pattern; content:"|27 3b|"; within:20; reference:cve,2020-9054; reference:url,www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml; reference:url,www.kb.cert.org/vuls/id/498544/; classtype:attempted-admin; sid:2029616; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_03_12, cve CVE_2020_9054, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adv,/cgi-bin/weblogin.cgi"; startswith; fast_pattern; http.request_body; content:"username="; startswith; content:"|27 3b|"; within:20; reference:cve,2020-9054; reference:url,www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml; reference:url,www.kb.cert.org/vuls/id/498544/; classtype:attempted-admin; sid:2029617; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_03_12, cve CVE_2020_9054, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManageEngine Desktop Central RCE Inbound (CVE-2020-10189)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mdm/client/v1/mdmLogUploader?udid=si|5c|..|5c|..|5c|..|5c|webapps|5c|DesktopCentral|5c|_chart&filename="; startswith; fast_pattern; http.request_body; content:"|ac ed 00 05 73 72 00 17 6a 61 76 61 2e 75 74 69 6c 2e 50 72 69 6f 72 69 74 79 51 75 65 75 65 94|"; startswith; reference:url,twitter.com/steventseeley/status/1235635108498948096; reference:cve,2020-10189; reference:url,www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.html; classtype:attempted-admin; sid:2029618; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_12, cve CVE_2020_10189, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_08_19;)

#alert ipv6 any any -> ff00::/8 any (msg:"ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read";  reference:url,www.jsof-tech.com/ripple20/; classtype:attempted-admin; sid:2030387; rev:2; metadata:created_at 2020_06_22, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)"; flow:to_server,established; http.uri; content:"/kerbynet?"; nocase; fast_pattern; content:"Action="; nocase; content:"Section="; nocase; reference:cve,2019-12725; reference:url,isc.sans.edu/forums/diary/Scanning+Activity+for+ZeroShell+Unauthenticated+Access/26368/; classtype:attempted-admin; sid:2030597; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_07_24, cve CVE_2019_12725, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_19;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M1"; flow:established,to_server; http.uri; content:"="; content:"%"; distance:0; content:"{"; distance:0; content:"ProcessBuilder"; nocase; distance:0; fast_pattern; content:"java"; nocase; content:"lang"; nocase; pcre:"/=\s*\x25\s*\{\s*.+?\bProcessBuilder\b/i"; classtype:attempted-admin; sid:2024814; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_06, cve CVE_2017_12611, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2020_08_20;)

alert http any any -> $HOME_NET 52869 (msg:"ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361"; flow:established,to_server; urilen:12; http.method; content:"POST"; http.uri; content:"/picdesc.xml"; http.header; content:"SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|"; reference:url,blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/; reference:cve,CVE-2014-8361; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb; reference:url,www.exploit-db.com/exploits/37169/; classtype:attempted-user; sid:2025132; rev:3; metadata:attack_target IoT, created_at 2017_12_05, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MikroTik RouterOS Chimay Red Remote Code Execution Probe"; flow:to_server,established; urilen:8; http.method; content:"POST"; http.uri; content:"/jsproxy"; fast_pattern; http.header; content:"Content-Length|3a 20|"; depth:16; reference:url,www.exploit-db.com/exploits/44284/; reference:url,www.exploit-db.com/exploits/44283/; classtype:attempted-admin; sid:2025426; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_03_13, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Major, updated_at 2020_08_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT phpLDAPadmin LDAP Injection"; flow:to_server,established; http.uri; content:"!(()&&!|7c|*|7c|*|7c|"; nocase; classtype:web-application-attack; sid:2025733; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_06_22, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link Technologies TL-WA850RE Wi-Fi Range Extender - Command Execution"; flow:to_server,established; http.uri; content:"/wps.setup.json"; fast_pattern; nocase; http.request_body; content:"operation=write"; content:"option=connect"; content:"wps_setup_pin="; content:"%2Fbin%2Fsh"; reference:url,exploit-db.com/exploits/44912/; classtype:web-application-attack; sid:2025735; rev:3; metadata:affected_product TPLINK, attack_target IoT, created_at 2018_06_22, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Enable Guest Network)"; flow:established,to_server; http.uri; content:"/cgi?2&2&2&2&2"; http.header; content:"/mainFrame.htm"; http.request_body; content:"LAN_WLAN_MULTISSID"; fast_pattern; content:"multiSSIDEnable"; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025752; rev:3; metadata:affected_product TPLINK, created_at 2018_06_26, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Reboot Router)"; flow:established,to_server; http.uri; content:"/cgi?7"; http.header; content:"mainFrame.htm"; http.request_body; content:"ACT_REBOOT"; fast_pattern; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025754; rev:3; metadata:affected_product TPLINK, created_at 2018_06_26, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (GET conf.bin)"; flow:established,to_server; http.uri; content:"/cgi/conf.bin"; http.header; content:"/mainFrame.htm"; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025753; rev:3; metadata:affected_product TPLINK, created_at 2018_06_26, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2750B - OS Command Injection"; flow:established,to_server; http.uri; content:"/login.cgi?cli="; pcre:"/^[ a-zA-Z0-9+_]*[\x27\x3b]/Ri"; reference:url,exploit-db.com/exploits/44760/; classtype:attempted-user; sid:2025756; rev:3; metadata:attack_target IoT, created_at 2018_06_27, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Exec Backdoor"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"|7b 22|action|22 3a 20 22|exec|22 2c 20 22|name|22 3a 20 22|"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025761; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Install Backdoor"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"|7b 22|action|22 3a 20 22|install|22 2c 20 22|name|22 3a 20 22|"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025762; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"destination="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/destination=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025767; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_6961, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware NSX SD-WAN Command Injection 2"; flow:established,to_server; http.uri; content:"/scripts/ajaxPortal.lua"; fast_pattern; http.request_body; content:"name="; content:"source="; content:"test="; content:"&requestTimeout="; content:"auth_token="; content:"cmd=run_diagnostic"; pcre:"/name=[^&]*\x24\x28/i"; reference:url,exploit-db.com/exploits/44959/; reference:cve,2018-6961; classtype:attempted-user; sid:2025768; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_6961, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Geutebruck Remote Command Execution"; flow:established,to_server; http.uri; content:"/uapi-cgi/viewer/simple_loglistjs.cgi?"; fast_pattern; content:"/bin/sh"; reference:url,exploit-db.com/exploits/44957/; reference:cve,2018-7520; classtype:attempted-user; sid:2025769; rev:2; metadata:attack_target IoT, created_at 2018_07_02, cve CVE_2018_7520, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection"; flow:established,to_server; http.uri; content:"/nagiosim.php?mode=resolve&host=|27|"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025772; rev:2; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution"; flow:established,to_server; http.uri; content:"/ajaxhelper.php?cmd=getxicoreajax"; fast_pattern; http.uri.raw; content:"&opts=%7b%22func%22%3a%22get_hoststatus_table%22%7d"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025774; rev:2; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence Medium, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 2"; flow:established,to_server; http.uri; content:"/graphApi.php?host="; fast_pattern; http.uri.raw; content:"%3bsudo%20../profile/getprofile.sh%20%23"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025773; rev:3; metadata:attack_target Server, created_at 2018_07_02, cve CVE_2018_8734, deployment Datacenter, confidence Medium, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI SQL Injection 2"; flow:established,to_server; http.uri; content:"/admin/helpedit.php"; fast_pattern; http.request_body; content:"selInfoKey1="; pcre:"/^[^&]+\x2527(?:UNION|SELECT)/Ri"; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025775; rev:3; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Set DB User Root"; flow:established,to_server; http.uri; content:"/admin/settings.php"; http.request_body; content:"txtRootPath="; content:"&txtBasePath="; content:"&selProtocol="; content:"&txtTempdir="; content:"&selLanguage="; content:"&txtEncoding="; content:"&txtDBserver="; content:"&txtDBport="; content:"&txtDBname="; content:"&txtDBuser=root"; fast_pattern; content:"&txtDBpass="; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025777; rev:2; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Adding Administrative User"; flow:established,to_server; http.uri; content:"/api/v1/system/user"; http.request_body; content:"username="; content:"&password="; content:"&name="; content:"&email="; content:"&auth_level=admin&force_pw_change=0"; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025778; rev:2; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence High, signature_severity Critical, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ADB Broadband Authorization Bypass"; flow:established,to_server; http.uri; content:"/ui/dboard/settings/management/"; fast_pattern; http.uri.raw; content:"/management//"; reference:cve,2018-13109; reference:url,exploit-db.com/exploits/44982/; classtype:web-application-attack; sid:2025785; rev:2; metadata:attack_target IoT, created_at 2018_07_05, cve CVE_2018_13109, deployment Datacenter, performance_impact Low, confidence High, signature_severity Critical, updated_at 2020_08_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DIR601 2.02 Credential Disclosure"; flow:established,to_server; http.uri; content:"/my_cgi.cgi"; http.request_body; content:"request=no_auth"; content:"request=load_settings"; content:"table_name=admin_user"; fast_pattern; content:"table_name=user_user"; content:"table_name=wireless_settings"; content:"table_name=wireless_security"; content:"table_name=wireless_wpa_settings"; reference:url,exploit-db.com/exploits/45002/; classtype:attempted-recon; sid:2025823; rev:3; metadata:attack_target IoT, created_at 2018_07_10, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IBM QRadar SIEM Unauthenticated Remote Code Execution"; flow:established,to_server; http.uri; content:"/ForensicsAnalysisServlet/?"; fast_pattern; content:"[pcap]=$("; content:"/bin/bash"; reference:url,exploit-db.com/exploits/45005/; classtype:attempted-user; sid:2025826; rev:2; metadata:attack_target Server, created_at 2018_07_11, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SAP NetWeaver AS JAVA CRM - Log injection Remote Command Execution"; flow:established,to_server; http.uri; content:"/init.do?"; content:"java.util"; content:"Runtime.getRuntime().exec"; fast_pattern; content:"cmd"; reference:url,exploit-db.com/exploits/44292/; reference:cve,2018-2380; classtype:attempted-user; sid:2025835; rev:3; metadata:attack_target Web_Server, created_at 2018_07_12, cve CVE_2018_2380, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution"; flow:established,to_server; content:"|f9 6a 76 7b 7c de 68 4f 76 d8 aa 3d 00 00 01 5b b0 4c 1d 81 80 01 00|"; fast_pattern; http.uri; content:"/amf"; http.request_body; content:"sun.rmi.server.UnicastRef"; reference:url,exploit-db.com/exploits/43993/; reference:cve,2017-3066; classtype:attempted-user; sid:2025836; rev:3; metadata:attack_target Server, created_at 2018_07_13, cve CVE_2017_3066, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Unix"; flow:established,to_server; http.uri; content:"/CoordinatorPortType"; http.request_body; content:"<soapenv:"; content:"java.lang.ProcessBuilder"; content:"<string>/bin/sh"; content:"<string>-c</string>"; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025837; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Windows"; flow:established,to_server; http.uri; content:"/CoordinatorPortType"; http.request_body; content:"<soapenv:"; content:"java.lang.ProcessBuilder"; content:"<string>cmd</string>"; content:"<string>/c</string>"; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025838; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2020_08_25, reviewed_at 2024_04_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MVPower DVR Shell UCE MSF Check"; flow:to_server,established; http.uri; content:"/shell?echo+"; depth:12; fast_pattern; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025882; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2018_07_23, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MVPower DVR Shell UCE"; flow:to_server,established; http.uri; content:"/shell?"; depth:7; fast_pattern; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025883; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2018_07_23, deployment Perimeter, malware_family Mirai, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Multiple CCTV-DVR Vendors RCE"; flow:to_server,established; http.uri; content:"/language/Swedish${IFS}&&"; depth:25; fast_pattern; http.header_names; content:!"Referer"; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025884; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2018_07_23, deployment Perimeter, malware_family Mirai, confidence Medium, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Oracle WebLogic Unrestricted File Upload (CVE-2018-2894)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ws_utc/resources/setting/keystore"; fast_pattern; http.request_body; content:"ks_filename="; reference:url,github.com/LandGrey/CVE-2018-2894/blob/master/CVE-2018-2894.py; reference:cve,2018-2894; classtype:attempted-admin; sid:2025907; rev:3; metadata:attack_target Server, created_at 2018_07_25, cve CVE_2018_2894, deployment Datacenter, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI M2"; flow:to_server,established; http.uri; content:"java.lang.Runtime|25|40getRuntime().exec("; nocase; classtype:attempted-user; sid:2026024; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_08_23, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M1"; flow:to_server,established; http.uri; content:"memberAccess"; content:"allowStaticMethodAccess"; distance:0; content:"java.lang.Runtime|25|40getRuntime().exec("; nocase; fast_pattern; distance:0; content:".getInputStream()"; content:"java.io.InputStreamReader("; content:"java.io.BufferedReader("; content:".read("; content:"org.apache.struts2.ServletActionContext"; content:"getResponse().getWriter()"; reference:url,github.com/jas502n/St2-057/blob/master/README.md; reference:cve,2018-11776; classtype:attempted-user; sid:2026025; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2018_08_23, cve CVE_2018_11776, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M2"; flow:to_server,established; http.uri; content:"memberAccess"; content:"allowStaticMethodAccess"; distance:0; content:"java.lang.Runtime@getRuntime().exec("; nocase; fast_pattern; distance:0; content:".getInputStream"; content:"java.io.InputStreamReader"; content:"java.io.BufferedReader"; content:".read"; content:"@org.apache.struts2.ServletActionContext@getResponse"; reference:url,github.com/jas502n/St2-057/blob/master/README.md; reference:cve,2018-11776; classtype:attempted-user; sid:2026026; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2018_08_23, cve CVE_2018_11776, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Root Command Injection (Linux)"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; http.request_body; content:"|7b 22|action|22 3a 22|uninstall|22 2c 22|name|22 3a 22|--pre-invoke="; content:".deb"; content:"/var/lib/sdn/uploads"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026029; rev:2; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts memberAccess and getWriter inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"|23|_memberAccess"; fast_pattern; content:".getWriter"; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026094; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, cve CVE_2018_11776, deployment Datacenter, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts memberAccess and opensymphony inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"|23|_memberAccess"; fast_pattern; content:"com|2E|opensymphony"; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026095; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, cve CVE_2018_11776, deployment Datacenter, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Struts getWriter and opensymphony inbound OGNL injection remote code execution attempt"; flow:to_server,established; http.uri; content:"|2E|getWriter"; fast_pattern; content:"symphony|2E|"; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026096; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, cve CVE_2018_11776, deployment Datacenter, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SonicWall Global Management System - XMLRPC set_time_zone Command Injection (CVE-2018-9866)"; flow:established,to_server; http.request_body; content:"<methodName>set_time_"; fast_pattern; content:"<string>|22 60|"; distance:0; reference:url,exploit-db.com/exploits/45124/; reference:cve,2018-9866; classtype:attempted-user; sid:2026023; rev:4; metadata:attack_target Server, created_at 2018_08_23, cve CVE_2018_9866, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Vacron NVR Remote Command Execution M2"; flow:to_server,established; http.uri; content:"/board.cgi"; fast_pattern; http.request_body; content:"cmd="; depth:4; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,blogs.securiteam.com/index.php/archives/3445; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026103; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, confidence Medium, signature_severity Minor, updated_at 2020_08_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT EnGenius EnShare IoT Gigabit Cloud Service RCE"; flow:to_server,established; http.uri; content:"/usbinteract.cgi"; http.request_body; content:"action=7&path="; fast_pattern; depth:14; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026104; rev:3; metadata:created_at 2018_09_10, confidence Medium, signature_severity Major, updated_at 2020_08_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Zyxel Command Injection RCE (CVE-2017-6884)"; flow:to_server,established; http.uri; content:"/cgi-bin/luci/"; content:"stok="; content:"/nslookup?nslookup_button=nslookup_button&"; fast_pattern; reference:cve,2017-6884; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026105; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, cve CVE_2017_6884, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NetGain Enterprise Manager 7.2.562 Ping Command Injection"; flow:to_server,established; http.uri; content:"/exec.jsp"; http.request_body; content:"command=cmd"; fast_pattern; content:"ping&argument="; distance:0; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026106; rev:3; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Cisco RV320 RCE Attempt (CVE-2019-1652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/certificate_handle2.htm?type="; http.request_body; content:"page=self_generator.htm&totalRules="; depth:35; fast_pattern; content:"|25 32 37 25 32 34 25 32 38|"; distance:0; reference:url,seclists.org/fulldisclosure/2019/Jan/54; classtype:trojan-activity; sid:2026860; rev:2; metadata:attack_target Networking_Equipment, created_at 2019_01_29, cve CVE_2019_1652, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_27;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloadlicenses.cgi?cmd=download"; content:"&txtVLSAuthCode="; distance:0; fast_pattern; http.uri.raw; content:"%3b"; reference:url,www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/; classtype:attempted-admin; sid:2030804; rev:1; metadata:affected_product Pulse_Secure, created_at 2020_08_27, cve CVE_2020_8218, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZTE ZXV10 H108L Router Root RCE Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/getpage.gch?pid="; depth:17; content:"&Host=|3b|"; distance:0; fast_pattern; content:"&DataBlockSize="; distance:0; reference:url,github.com/stasinopoulos/ZTExploit/blob/master/ZTExploit_Source/ztexploit.py; classtype:attempted-user; sid:2027098; rev:3; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_28;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys E-Series Device RCE Attempt"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; http.request_body; content:"ttcp_ip="; content:"-h"; distance:0; content:"&ttcp_num="; fast_pattern; reference:url,www.exploit-db.com/exploits/31683/; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026102; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, malware_family Mirai, confidence Medium, signature_severity Major, updated_at 2020_08_28;)

alert http any any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; http.request_body; content:"ttcp_ip="; content:"-h"; distance:0; content:"&ttcp_num="; fast_pattern; reference:url,www.exploit-db.com/exploits/31683/; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2027153; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys Smart WiFi Information Disclosure Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/JNAP/"; depth:6; http.header; content:"X-JNAP-Action|3a 20|http|3a 2f 2f|"; fast_pattern; pcre:"/^(?:www\.)?(cisco|linksys)\.com\/jnap\//Ri"; http.request_body; content:"|7b 7d|"; depth:2; reference:url,raw.githubusercontent.com/zeropwn/Linksys-Smart-WiFi-Information-Disclosure/master/nss.py; classtype:attempted-recon; sid:2027357; rev:3; metadata:attack_target Networking_Equipment, created_at 2019_05_16, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_28, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Eir D1000 Remote Command Injection Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/UD/act?1"; depth:9; nocase; http.request_body; content:"<u|3a|GetSecurityKeys|20|"; fast_pattern; reference:url,www.exploit-db.com/exploits/40740; classtype:attempted-admin; sid:2027375; rev:2; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2019_05_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_31, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Eir D1000 Remote Command Injection Attempt Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/UD/act?1"; depth:9; nocase; http.request_body; content:"<u|3a|GetSecurityKeys|20|"; fast_pattern; reference:url,www.exploit-db.com/exploits/40740; classtype:attempted-admin; sid:2027376; rev:2; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2019_05_23, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_31, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible OpenDreamBox Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webadmin/script?command="; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-14135; classtype:attempted-admin; sid:2027453; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_31, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible OpenDreamBox Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webadmin/script?command="; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-14135; classtype:attempted-admin; sid:2027452; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_31, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Hootoo TripMate Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/protocol.csp?function="; depth:23; fast_pattern; content:"&mac=|7c|"; distance:0; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-20841; classtype:attempted-admin; sid:2027461; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_31, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Hootoo TripMate Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/protocol.csp?function="; depth:23; fast_pattern; content:"&mac=|7c|"; distance:0; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-20841; classtype:attempted-admin; sid:2027460; rev:3; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_08_31, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FCM-MB40 Attempted Remote Command Execution as Root"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/camctrl_save_profile.cgi"; depth:33; fast_pattern; content:"num="; distance:0; content:"name="; distance:0; content:"a|20|-e|20|s|2f 5e|"; distance:0; content:"|20 2e 2e|/cgi-bin/ddns.cgi|20|"; distance:0; content:"&save=profile"; distance:0; reference:url,xor.cat/2019/06/19/fortinet-forticam-vulns/; classtype:attempted-admin; sid:2027513; rev:3; metadata:attack_target IoT, created_at 2019_06_24, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_08_31;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Struts 2 REST Plugin Vulnerability (CVE-2017-9805)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/struts2"; http.content_type; content:"|25 7b 28 23|"; isdataat:500,relative; content:"cmd.exe"; fast_pattern; content:"@java.lang.System@getProperty(|27|os.name|27|)"; reference:cve,2017-9805; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027516; rev:2; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, created_at 2019_06_26, cve CVE_2017_9805, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag CISA_KEV, updated_at 2020_08_31, reviewed_at 2024_05_06;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ThinkPHP Attempted Bypass and Payload Retrieval"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/public/hydra.php?xcmd=cmd.exe"; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027518; rev:2; metadata:attack_target Server, created_at 2019_06_26, deployment Perimeter, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31, reviewed_at 2024_05_06;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WebShell GIF Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"GIF89a"; depth:6; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:attempted-admin; sid:2027736; rev:2; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag WebShell, updated_at 2020_08_31;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible WebShell JPEG Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|FF D8 FF E0|"; depth:4; content:"JFIF"; distance:2; within:4; content:"<%eval|20|request|28 22|"; distance:0; fast_pattern; classtype:attempted-admin; sid:2027737; rev:2; metadata:attack_target Web_Server, created_at 2019_07_22, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag WebShell, updated_at 2020_08_31;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound"; flow:established,to_server; http.method; content:"POST"; http.header; content:"SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|"; fast_pattern; http.request_body; content:"|3c|u|3a|AddPortMapping"; content:"|3c|NewRemoteHost|3e|"; distance:0; content:"|3c|NewInternalClient"; distance:0; content:"|3c 2f|NewInternalClient|3e|"; distance:0; content:"NewEnabled|3e|1"; distance:0; classtype:trojan-activity; sid:2027339; rev:3; metadata:attack_target IoT, created_at 2019_05_08, cve CVE_2014_8361, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Inbound Flash Exploit (CVE-2018-15982)"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application|2f|x-shockwave-flash"; file.data; content:"FWS"; depth:3; content:"cmd.exe|20 2f|c"; distance:0; nocase; fast_pattern; reference:url,www.malware-traffic-analysis.net/2019/08/01/index.html; classtype:attempted-user; sid:2027789; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_02, cve CVE_2018_15982, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Inbound Flash Exploit with Stack-Based wininet"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"application|2f|x-shockwave-flash"; file.data; content:"FWS"; depth:3; content:"hnet|00|hwini"; fast_pattern; distance:0; nocase; within:1000; content:".exe|00|"; pcre:"/^.{1,10}(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/R"; classtype:attempted-user; sid:2027790; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_08_02, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, updated_at 2020_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Pre-Auth Messages Payload Buffer Overflow (CVE-2018-13381)"; flow:established,to_server; http.request_body; content:"&msg=%26%23%3c"; fast_pattern; nocase; pcre:"/(?:\%3C){1000}/Ri"; http.start; content:"POST /message HTTP/1.1"; reference:cve,CVE-2018-13381; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027884; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_08_31;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Remote Code Execution (CVE-2018-13383)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"|3c|a href=|22|javascript:void|28|0|29 3b|AAA"; depth:33; fast_pattern; pcre:"/A{1000}/R"; content:"python -c"; distance:0; content:"socket"; distance:0; reference:cve,CVE-2018-13383; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027891; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Information Disclosure (CVE-2018-13379)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/remote/fgt_lang?lang=/../"; depth:35; isdataat:30,relative; fast_pattern; reference:cve,CVE-2018-13379; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027883; rev:3; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_08_31, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:4; metadata:created_at 2012_09_22, cve CVE_2012_3574, signature_severity Major, updated_at 2020_09_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; fast_pattern; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:4; metadata:created_at 2012_09_22, cve CVE_2012_3574, signature_severity Major, updated_at 2020_09_01;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt"; flow:established,to_server; http.uri; content:"weblinks-categories?"; nocase; fast_pattern; content:"id="; nocase; distance:0; content:"select password"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018288; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_03_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla 3.2.1 SQL injection attempt 2"; flow:established,to_server; http.uri; content:"weblinks-categories?"; nocase; fast_pattern; content:"id="; nocase; distance:0; pcre:"/id\=[^\r\n]*?(?:select|delete|union|update|insert)/i"; reference:url,www.exploit-db.com/exploits/31459/; classtype:web-application-attack; sid:2018289; rev:4; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2014_03_18, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Pulse Secure SSL VPN - Arbitrary File Read (CVE-2019-11510)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/../dana/html5acc/guacamole/../"; depth:39; fast_pattern; isdataat:10,relative; reference:url,packetstormsecurity.com/files/154176/Pulse-Secure-SSL-VPN-8.1R15.1-8.2-8.3-9.0-Arbitrary-File-Disclosure.html; reference:cve,CVE-2019-11510; classtype:trojan-activity; sid:2027904; rev:3; metadata:affected_product Pulse_Secure, created_at 2019_08_22, signature_severity Major, tag CISA_KEV, updated_at 2020_09_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Secutech Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/wan_dns.asp?go=wan_dns.asp&reboottag=&dsen=1&dnsen=on&ds1="; fast_pattern; content:"&ds2="; distance:0; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027909; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, performance_impact Moderate, signature_severity Major, updated_at 2020_09_01;)

alert tls any any -> any any (msg:"ET EXPLOIT Possible EXIM RCE Inbound (CVE-2019-15846) M2"; flow:established,to_server; tls.sni; content:"|5c 00|"; fast_pattern; reference:cve,2019-15846; reference:url,exim.org/static/doc/security/CVE-2019-15846.txt; classtype:attempted-admin; sid:2027960; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_09_06, cve CVE_2019_15846, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_09_01;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DLink DNS 320 Remote Code Execution (CVE-2019-16057)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/login_mgr.cgi"; fast_pattern; content:"cmd|3d|login"; distance:0; content:"&port="; distance:0; pcre:"/^\d{2,5}+(?!\&|\d)/R"; reference:cve,2019-16057; reference:url,blog.cystack.net/d-link-dns-320-rce/; classtype:attempted-admin; sid:2028603; rev:2; metadata:attack_target Networking_Equipment, created_at 2019_09_18, cve CVE_2019_16057, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_09_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Application Credential Disclosure (CVE-2018-9995)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/device.rsp?opt=user&cmd=list"; depth:29; fast_pattern; http.cookie; content:"uid=admin"; nocase; reference:url,github.com/ezelf/CVE-2018-9995_dvr_credentials; reference:cve,2018-9995; classtype:attempted-admin; sid:2027971; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, cve CVE_2018_9995, deployment Perimeter, signature_severity Major, updated_at 2020_09_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HiSilicon DVR - Buffer Overflow in Builtin Web Server"; flow:established,to_server; urilen:>200; http.start; content:"GET|20 01 10 8f e2 11 ff|"; depth:10; fast_pattern; content:"aaaaaaaa"; distance:0; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:attempted-admin; sid:2027972; rev:4; metadata:affected_product DVR, attack_target IoT, created_at 2019_09_09, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_09_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WAP54G debug.cgi Shell Access as Gemtek"; flow:established,to_server; http.uri; content:"/debug.cgi"; http.header; content:"Authorization|3a 20|Basic R2VtdGVrOmdlbXRla3N3ZA==|0d 0a|"; reference:url,seclists.org/fulldisclosure/2010/Jun/176; classtype:attempted-admin; sid:2011669; rev:6; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2020_09_03;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Apache2 Memory Corruption Inbound (CVE-2020-9490)"; flow:established,to_server; http.method; content:"GET"; http.header; content:"Cache-Digest|3a 20|EA"; fast_pattern; pcre:"/^(?:8=|9BQQ==)\r?\n?/R"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=2030&q=apache&can=1; reference:cve,2020-9490; classtype:attempted-admin; sid:2030830; rev:1; metadata:created_at 2020_09_03, cve CVE_2020_9490, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2020_09_03;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK Password Change GET Request (DNSChanger EK)"; flow:to_server,established; threshold:type limit,track by_dst,count 3, seconds 90; http.method; content:"GET"; http.uri; content:"/router/UserPassSet.cgi?"; depth:24; fast_pattern; content:"new_user_name="; content:"password1="; reference:url,www.xexexe.cz/2015/02/bruteforcing-tp-link-routers-with.html; classtype:attempted-admin; sid:2023996; rev:4; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2017_02_17, deployment Internal, performance_impact Moderate, signature_severity Major, updated_at 2020_09_04;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Likely Struts S2-053-CVE-2017-12611 Exploit Attempt M2"; flow:established,to_server; http.uri; content:"="; content:"%"; distance:0; content:"{"; distance:0; content:"getRunTime"; nocase; distance:0; fast_pattern; content:"exec"; nocase; pcre:"/=\s*\x25\s*\{\s*(?=.+?\bgetRunTime\b).+?\bexec\b/i"; classtype:attempted-admin; sid:2024815; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_10_06, cve CVE_2017_12611, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2020_09_04;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT vBulletin 5.6.2 widget_tabbedContainer_tab_panel Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/render/widget_tabbedcontainer_tab_panel"; fast_pattern; http.request_body; content:"echo%20shell_exec("; reference:url,www.exploit-db.com/exploits/48743; classtype:attempted-admin; sid:2030832; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_04, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_09_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT vBulletin 5.6.2 widget_tabbedContainer_tab_panel Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajax/render/widget_tabbedcontainer_tab_panel"; fast_pattern; http.request_body; content:"echo%20shell_exec("; reference:url,www.exploit-db.com/exploits/48743; classtype:attempted-admin; sid:2030833; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_04, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_09_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Cisco Jabber RCE Inbound (CVE-2020-3495)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CLIENT_REQUEST/"; http.request_body; content:".CallCppFunction|28|"; fast_pattern; reference:url,watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/; reference:cve,2020-3495; classtype:attempted-admin; sid:2030837; rev:1; metadata:created_at 2020_09_05, cve CVE_2020_3495, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2020_09_05;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wireless G Router DNS Change POST Request"; flow:to_server,established; urilen:22; http.method; content:"POST"; http.uri; content:"/cgi-bin/setup_dns.exe"; http.request_body; content:"getpage=|2e 2e|/html/setup/dns.htm"; depth:29; fast_pattern; content:"resolver|3a|settings/nameserver1="; distance:0; reference:url,www.exploit-db.com/exploits/3605; classtype:attempted-admin; sid:2020857; rev:6; metadata:created_at 2015_04_08, signature_severity Major, updated_at 2020_09_14;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT HackingTrio UA (Hello, World)"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Hello, World"; fast_pattern; endswith; reference:cve,2018-10561; reference:cve,2018-10562; reference:url,github.com/f3d0x0/GPON; classtype:attempted-admin; sid:2025576; rev:4; metadata:attack_target IoT, created_at 2018_05_11, cve CVE_2018_10561, deployment Perimeter, performance_impact Low, signature_severity Major, tag GPON, updated_at 2020_09_16;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (WiFi Password Change)"; flow:established,to_server; http.uri; content:"/cgi?2"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"LAN_WLAN"; fast_pattern; content:"IEEE11iAuthenticationMode"; content:"IEEE11iEncryptionModes"; content:"X_TP_PreSharedKey="; content:"X_TP_GroupKeyUpdateInterval"; reference:url,exploit-db.com/exploits/44781/; classtype:web-application-attack; sid:2025755; rev:4; metadata:affected_product TPLINK, created_at 2018_06_26, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (DMZ enable and Disable)"; flow:established,to_server; http.uri; content:"/cgi?2"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"DMZ_HOST_CFG"; fast_pattern; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025751; rev:4; metadata:affected_product TPLINK, created_at 2018_06_26, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N/TL-WR841N - Authentication Bypass (Add Port Forwarding)"; flow:established,to_server; http.uri; content:"/cgi?3"; endswith; http.header; content:"/mainFrame.htm"; http.request_body; content:"IP_CONN_PORTTRIGGERING"; content:"openProtocol"; content:"openPort="; reference:url,exploit-db.com/exploits/44781/; classtype:attempted-user; sid:2025750; rev:4; metadata:affected_product TPLINK, created_at 2018_06_26, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, updated_at 2020_09_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; http.request_body; content:"!<arch>|0a|debian-binary"; fast_pattern; reference:url,exploit-db.com/exploits/44951/; classtype:attempted-user; sid:2025763; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_06_28, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor 2"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; content:".deb|0d 0a|"; http.request_body; content:"|7f|ELF"; depth:4; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026030; rev:4; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Tor/Noscript JS Bypass"; flow:established,to_client; http.content_type; content:"text/html|3b|/json"; depth:15; endswith; reference:url,twitter.com/Zerodium/status/1039127214602641409; classtype:trojan-activity; sid:2026109; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_09_11, deployment Perimeter, confidence Medium, signature_severity Minor, updated_at 2020_09_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nuuo NVR RCE Attempt (CVE-2018-15716)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"_handle.php?cmd=getupgradinginfo"; fast_pattern; endswith; classtype:attempted-admin; sid:2026982; rev:3; metadata:created_at 2019_02_26, cve CVE_2018_15716, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_09_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 OS Command Injection"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/rdfs.cgi"; depth:17; endswith; fast_pattern; http.request_body; content:"Client="; depth:7; content:"|3b|"; distance:0; content:"&Download="; distance:0; classtype:attempted-admin; sid:2027090; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_09_16, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible WePresent WIPG1000 File Inclusion"; flow:established,to_server; content:"&src=|2e 2e 2f 2e 2e 2f 2e 2e 2f|"; fast_pattern; http.method; content:"GET"; http.uri; content:"/cgi-bin/login.cgi"; depth:18; endswith; reference:url,www.redguard.ch/advisories/wepresent-wipg1000.txt; classtype:attempted-user; sid:2027091; rev:4; metadata:attack_target IoT, created_at 2019_03_18, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_09_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6077)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; depth:9; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"&ping_IPAddr="; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6077; classtype:attempted-user; sid:2027093; rev:3; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2017_6077, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_09_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dnslookup.cgi"; depth:14; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"host_name="; depth:10; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6334; classtype:attempted-user; sid:2027094; rev:3; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2017_6334, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_09_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WAP54Gv3 Remote Debug Root Shell Exploitation Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/debug.cgi"; depth:10; endswith; http.request_body; content:"data1=|3b|"; depth:7; fast_pattern; content:"&command="; distance:0; reference:url,seclists.org/bugtraq/2010/Jun/93; classtype:attempted-user; sid:2027095; rev:3; metadata:attack_target Networking_Equipment, created_at 2019_03_18, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_09_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Unk.IoT IPCamera Exploit Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/sysTimeCfgEx"; fast_pattern; endswith; http.request_body; content:"systemdate="; depth:11; nocase; content:"&systemtime="; nocase; content:"&dwTimeZone"; nocase; content:"&updatemode="; nocase; content:"&ntpHost="; nocase; content:"&ntpPort="; nocase; content:"&timezonecon="; nocase; http.header_names; content:!"Referer"; reference:url,twitter.com/zom3y3/status/1115481065701830657/photo/1; classtype:trojan-activity; sid:2027194; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_04_12, deployment Perimeter, malware_family Mirai, performance_impact Moderate, signature_severity Major, updated_at 2020_09_17, reviewed_at 2024_03_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CyberArk Enterprise Password Vault XXE Injection Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/PasswordVault/auth/saml/"; fast_pattern; endswith; http.request_body; content:"SAMLResponse=PCFET0NUWVBFIHIgWwo8IUVMRU1F"; depth:41; reference:url,www.exploit-db.com/exploits/46828; classtype:attempted-admin; sid:2027358; rev:4; metadata:created_at 2019_05_16, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_09_17;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027450; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve CVE_2019_3929, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2019-3929)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/file_transfer.cgi"; endswith; http.request_body; content:"file_transfer="; depth:14; content:"&dir=|27|Pa_Note"; distance:0; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027451; rev:3; metadata:attack_target IoT, created_at 2019_06_11, cve CVE_2019_3929, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; depth:6; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027456; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Dell KACE Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/krashrpt.php"; fast_pattern; endswith; http.request_body; content:"kuid=|60|"; depth:6; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2018-11138; classtype:attempted-admin; sid:2027457; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027459; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Geutebruck Attempted Remote Command Injection Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/testaction.cgi"; endswith; http.header; content:"ip|3a 20|eth0|20|1.1.1.1|3b|"; fast_pattern; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; reference:cve,CVE-2017-5173; classtype:attempted-admin; sid:2027458; rev:4; metadata:attack_target IoT, created_at 2019_06_11, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Palo Alto SSL VPN sslmgr Format String Vulnerability (Inbound) (CVE-2019-1579)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/sslmgr"; endswith; nocase; http.request_body; content:"scep-profile-name=%"; depth:19; fast_pattern; pcre:"/^[0-9]+/R"; reference:url,blog.orange.tw/2019/07/attacking-ssl-vpn-part-1-preauth-rce-on-palo-alto.html; classtype:attempted-admin; sid:2027723; rev:4; metadata:attack_target Server, created_at 2019_07_18, cve CVE_2019_1579, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_09_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Inbound (CVE-2019-6277)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/|3b|wget"; depth:14; fast_pattern; content:"|7c|sh"; endswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027881; rev:4; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_08_13, deployment Perimeter, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NETGEAR R7000/R6400 - Command Injection Outbound (CVE-2019-6277)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi-bin/|3b|wget"; depth:14; fast_pattern; content:"|7c|sh"; endswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/41598; reference:cve,CVE-2016-6277; classtype:attempted-admin; sid:2027882; rev:4; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_08_13, deployment Perimeter, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2020_09_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FortiOS SSL VPN - Improper Authorization Vulnerability (CVE-2018-13382)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remote/logincheck"; depth:18; fast_pattern; endswith; http.request_body; content:"ajax=1"; content:"&username="; content:"&credential="; content:"&magic="; reference:cve,CVE-2018-13382; reference:url,github.com/milo2012/CVE-2018-13382/blob/master/CVE-2018-13382.py; reference:url,blog.orange.tw/2019/08/attacking-ssl-vpn-part-2-breaking-the-fortigate-ssl-vpn.html; classtype:attempted-admin; sid:2027885; rev:4; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2019_08_14, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, signature_severity Critical, tag CISA_KEV, updated_at 2020_09_17;)

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] ![139,445] (msg:"ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; content:"|00|"; offset:2; content:"|1a 00|"; distance:19; within:2; content:"|5c 00 5c 00|"; within:50; content:"|24 00 00 00 06 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; isdataat:!5,relative; threshold: type limit, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; classtype:attempted-admin; sid:2030871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_09_18;)

#alert tcp-pkt any any -> any any (msg:"ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; content:"|05 00 00|"; depth:3; content:"|1a 00|"; distance:19; within:3; content:"|00 00 00 00 00 00 00 00|"; isdataat:!5,relative; threshold:type both, track by_src, seconds 60, count 3; reference:cve,2020-1472; classtype:attempted-admin; sid:2030889; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_18, cve CVE_2020_1472, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_09_18;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful Compromise svchost.jpg Beacon - Java  Zeroday"; flow:established,to_server; http.uri; content:"/svchost.jpg"; fast_pattern; http.user_agent; content:"Java/1."; reference:url,blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html; classtype:trojan-activity; sid:2016511; rev:6; metadata:attack_target Client_Endpoint, created_at 2013_03_01, deployment Perimeter, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)

alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 1"; flow:established,to_server; http.uri; content:"/PSBlock"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018585; rev:6; metadata:created_at 2014_06_20, signature_severity Major, updated_at 2020_09_24;)

alert http $EXTERNAL_NET any -> $HOME_NET 49152 (msg:"ET EXPLOIT Supermicro BMC Password Disclosure 2"; flow:established,to_server; http.uri; content:"/PSStore"; fast_pattern; reference:url,arstechnica.com/security/2014/06/at-least-32000-servers-broadcast-admin-passwords-in-the-clear-advisory-warns/; classtype:attempted-admin; sid:2018586; rev:7; metadata:created_at 2014_06_20, signature_severity Major, updated_at 2020_09_24;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 1"; flow:established,to_server; http.request_body; content:"name["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019422; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 2"; flow:established,to_server; http.request_body; content:"name%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])name\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019423; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 3"; flow:established,to_server; http.request_body; content:"nam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019424; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 4"; flow:established,to_server; http.request_body; content:"nam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])nam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019425; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 5"; flow:established,to_server; http.request_body; content:"na%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019426; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 6"; flow:established,to_server; http.request_body; content:"na%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019427; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 7"; flow:established,to_server; http.request_body; content:"na%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019428; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 8"; flow:established,to_server; http.request_body; content:"na%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])na\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019429; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 9"; flow:established,to_server; http.request_body; content:"n%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019430; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 10"; flow:established,to_server; http.request_body; content:"n%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019431; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 11"; flow:established,to_server; http.request_body; content:"n%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019432; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 12"; flow:established,to_server; http.request_body; content:"n%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019433; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 13"; flow:established,to_server; http.request_body; content:"n%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019434; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 14"; flow:established,to_server; http.request_body; content:"n%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019435; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 15"; flow:established,to_server; http.request_body; content:"n%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019436; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 16"; flow:established,to_server; http.request_body; content:"n%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])n\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019437; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 17"; flow:established,to_server; http.request_body; content:"%6eame["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019438; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 18"; flow:established,to_server; http.request_body; content:"%6eame%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eame\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019439; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 19"; flow:established,to_server; http.request_body; content:"%6eam%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019440; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 20"; flow:established,to_server; http.request_body; content:"%6eam%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6eam\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019441; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 21"; flow:established,to_server; http.request_body; content:"%6ea%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019442; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 22"; flow:established,to_server; http.request_body; content:"%6ea%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019443; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 23"; flow:established,to_server; http.request_body; content:"%6ea%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019444; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 24"; flow:established,to_server; http.request_body; content:"%6ea%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6ea\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019445; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 25"; flow:established,to_server; http.request_body; content:"%6e%61me["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019446; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 26"; flow:established,to_server; http.request_body; content:"%6e%61me%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61me\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019447; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 27"; flow:established,to_server; http.request_body; content:"%6e%61m%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019448; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 28"; flow:established,to_server; http.request_body; content:"%6e%61m%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61m\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019449; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 29"; flow:established,to_server; http.request_body; content:"%6e%61%6de["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019450; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 30"; flow:established,to_server; http.request_body; content:"%6e%61%6de%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6de\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019451; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 31"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65["; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\[[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019452; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2014-3704 Drupal SQLi attempt URLENCODE 32"; flow:established,to_server; http.request_body; content:"%6e%61%6d%65%5b"; nocase; fast_pattern; pcre:"/(?:^|&|Content-Disposition[\x3a][^\n]*?name\s*?=\s*?[\x22\x27])\%6e\%61\%6d\%65\%5b[^\x5d]*?\W/i"; reference:url,pastebin.com/F2Dk9LbX; classtype:web-application-attack; sid:2019453; rev:4; metadata:created_at 2014_10_16, cve CVE_2014_3704, confidence Medium, signature_severity Major, updated_at 2020_09_25;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1599)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/rtpd.cgi?"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019801; rev:4; metadata:created_at 2014_11_25, cve CVE_2013_1599, signature_severity Major, updated_at 2020_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1600)"; flow:established,to_server; urilen:17; http.method; content:"GET"; http.uri; content:"/upnp/asf-mp4.asf"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019802; rev:4; metadata:created_at 2014_11_25, cve CVE_2013_1600, signature_severity Major, updated_at 2020_09_28;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link IP Camera Vulnerable HTTP Request (CVE-2013-1601)"; flow:established,to_server; urilen:12; http.method; content:"GET"; http.uri; content:"/md/lums.cgi"; fast_pattern; reference:url,www.coresecurity.com/advisories/d-link-ip-cameras-multiple-vulnerabilities; classtype:attempted-admin; sid:2019803; rev:4; metadata:created_at 2014_11_25, cve CVE_2013_1601, signature_severity Major, updated_at 2020_09_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible dlink-DSL2640B DNS Change Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/ddnsmngr.cmd?action=apply"; fast_pattern; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020485; rev:4; metadata:created_at 2015_02_19, confidence Medium, signature_severity Major, updated_at 2020_09_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ShuttleTech 915WM DNS Change Attempt"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020486; rev:4; metadata:created_at 2015_02_19, confidence Medium, signature_severity Major, updated_at 2020_09_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"dnsPrimary="; fast_pattern; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,packetstormsecurity.com/files/130418/dlink-DSL2640B.txt; classtype:attempted-user; sid:2020487; rev:4; metadata:created_at 2015_02_19, confidence Medium, signature_severity Major, updated_at 2020_09_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change POST Request"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"dnsPrimary="; fast_pattern; content:"dnsSecondary="; content:"dnsDynamic="; content:"dnsRefresh="; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2020488; rev:4; metadata:created_at 2015_02_19, confidence Medium, signature_severity Major, updated_at 2020_09_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (ping.ccp) 2015-1187"; flow:to_server,established; urilen:9; http.method; content:"POST"; http.uri; content:"/ping.ccp"; fast_pattern; http.request_body; content:"ccp_act=ping_v6&ping_addr="; depth:26; pcre:"/ping_addr=[\d.]*[^\d.]/"; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020590; rev:4; metadata:created_at 2015_03_03, signature_severity Major, updated_at 2020_09_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link and TRENDnet ncc2 Service Vulnerability (fwupdate.cpp) 2015-1187"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/fwupgrade.ccp"; fast_pattern; http.request_body; content:"|0d 0a|fwupgrade"; content:"|0d 0a|resolv.conf"; nocase; reference:url,github.com/darkarnium/secpub/tree/master/Multivendor/ncc2; classtype:attempted-admin; sid:2020603; rev:4; metadata:created_at 2015_03_04, signature_severity Major, updated_at 2020_09_29;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Seagate Business NAS Unauthenticated Remote Command Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/index.php/mv_system/get_general_setup?_=1413463189043"; fast_pattern; http.request_body; content:"set_general"; reference:url,beyondbinary.io/advisory/seagate-nas-rce; classtype:attempted-admin; sid:2020583; rev:5; metadata:created_at 2015_03_02, confidence Medium, signature_severity Major, updated_at 2020_09_29;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT FritzBox RCE POST Request"; flow:to_server,established; urilen:14; http.method; content:"POST"; http.uri; content:"/cgi-bin/webcm"; fast_pattern; http.request_body; content:"getpage="; depth:10; content:"errorpage="; distance:0; content:"/html/index.html&login|3a|command"; distance:0; reference:url,www.exploit-db.com/exploits/33136; classtype:attempted-admin; sid:2020867; rev:5; metadata:created_at 2015_04_09, confidence Medium, signature_severity Major, updated_at 2020_09_30;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN1000B Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/setup.cgi?todo=wan_dns1="; fast_pattern; reference:url,www.rapid7.com/db/modules/exploit/linux/http/netgear_dgn1000b_setup_exec; classtype:attempted-admin; sid:2020874; rev:5; metadata:created_at 2015_04_09, signature_severity Major, updated_at 2020_09_30;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tenda ADSL2/2+ Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/apply.cgi?wan_primary_dns="; fast_pattern; content:"&wan_secondary_dns="; reference:url,malwr.com/analysis/MGY1ZDFhYjE1MzQ4NDAwM2EyZTI5YmY3MWZjMWE5OGM; classtype:attempted-admin; sid:2020876; rev:4; metadata:created_at 2015_04_09, signature_severity Major, updated_at 2020_09_30;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Known Malicious Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/router/add_dhcp_segment.cgi?"; fast_pattern; content:"is_router_as_dns=1"; content:"&dns1="; content:"submitbutton="; reference:url,wepawet.cs.ucsb.edu/view.php?hash=5e14985415814ed1e107c0583a27a1a2&t=1384961238&type=js; classtype:attempted-admin; sid:2020877; rev:4; metadata:created_at 2015_04_09, signature_severity Major, updated_at 2020_09_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 302"; flow:from_server,established; http.stat_code; content:"302"; http.stat_msg; content:"Found"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020916; rev:4; metadata:created_at 2015_04_16, confidence Medium, signature_severity Major, updated_at 2020_09_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 301"; flow:from_server,established; http.stat_code; content:"301"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020917; rev:4; metadata:created_at 2015_04_16, confidence Medium, signature_severity Major, updated_at 2020_09_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 307"; flow:from_server,established; http.stat_code; content:"307"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/resurrection-of-the-living-dead-the-redirect-to-smb-vulnerability/; classtype:attempted-user; sid:2020976; rev:4; metadata:created_at 2015_04_23, confidence Medium, signature_severity Major, updated_at 2020_09_30;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redirect to SMB exploit attempt - 303"; flow:from_server,established; http.stat_code; content:"303"; http.header; content:"Location|3a 20|file|3a 2f 2f|"; fast_pattern; reference:url,blog.cylance.com/redirect-to-smb; classtype:attempted-user; sid:2020977; rev:4; metadata:created_at 2015_04_23, confidence Medium, signature_severity Major, updated_at 2020_09_30;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT WNR2000v4 HTTP POST RCE Attempt Via Timestamp Discovery"; flow:to_server,established; threshold: type both, track by_dst, count 10, seconds 60; http.method; content:"POST"; http.uri; content:"/apply_noauth.cgi"; fast_pattern; http.request_body; content:"timestamp="; reference:url,seclists.org/fulldisclosure/2015/Apr/72; classtype:attempted-admin; sid:2021018; rev:4; metadata:created_at 2015_04_28, confidence Medium, signature_severity Major, updated_at 2020_09_30;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT AirLive RCI HTTP Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/cgi_test.cgi?write_"; fast_pattern; pcre:"/\?write_(?:m(?:ac|sn)|hdv|pid|tan)&[^&]*\x3b/i"; reference:url,packetstormsecurity.com/files/132585/CORE-2015-0012.txt; classtype:attempted-admin; sid:2021408; rev:4; metadata:created_at 2015_07_13, signature_severity Major, updated_at 2020_10_01;)

alert tcp any any -> $HOME_NET 40006 (msg:"ET EXPLOIT [401TRG] HPDM Backdoor Login"; flow:established,to_server; content:"user|00|dm_postgres|00|database|00|hpdmdb|00|"; fast_pattern; reference:url,twitter.com/nickstadb/status/1310853783765815297; classtype:attempted-admin; sid:2030961; rev:2; metadata:created_at 2020_10_02, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_10_02;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M3 (Serialized PHP in XFF)"; flow:established,to_server; http.header; content:"O|3a|"; fast_pattern; pcre:"/^X-Forwarded-For\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/mi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022268; rev:4; metadata:created_at 2015_12_16, confidence Medium, signature_severity Major, updated_at 2020_10_05;)

alert http any any -> $HOME_NET 8080 (msg:"ET EXPLOIT Linksys Router Unauthenticated Remote Code Execution"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".cgi"; nocase; http.header; content:"Authorization|3a 20|Basic"; http.request_body; content:"%74%74%63%70%5f%69%70%3d%2d%68%20%60"; fast_pattern; reference:url,sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902; classtype:attempted-user; sid:2022758; rev:4; metadata:created_at 2016_04_25, confidence Medium, signature_severity Major, updated_at 2020_10_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mida eFramework RCE Attempt Inbound (CVE-2020-15922)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ipaddress0|22|"; fast_pattern; content:"|3b|"; within:6; reference:url,www.exploit-db.com/exploits/48835; reference:cve,2020-15922; classtype:attempted-admin; sid:2030989; rev:1; metadata:created_at 2020_10_07, cve CVE_2020_15922, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_10_07;)

alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit Retrieving Wifi Key"; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern; http.request_body; content:"|3c 75 3a 47 65 74 53 65 63 75 72 69 74 79 4b 65 79 73|"; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023549; rev:5; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_10_07;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Oracle Identity Manager Attempt to Logon with default account"; flow:to_server,established; http.request_body; content:"=OIMINTERNAL"; fast_pattern; reference:cve,CVE-2017-10151; reference:url,oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html; classtype:attempted-admin; sid:2024941; rev:4; metadata:affected_product Oracle_Identity_Manager, attack_target Web_Server, created_at 2017_11_01, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Critical, updated_at 2020_10_09;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT SolusVM 1.13.03 SQL injection"; flow:established,to_server; content:"_v="; content:"deleteid="; http.method; content:"POST"; http.uri; content:"/centralbackup.php?"; fast_pattern; classtype:trojan-activity; sid:2017060; rev:6; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2013_06_25, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Belkin N600DB Wireless Router Request Forgery Attempt"; flow:to_server,established; http.uri; content:"/proxy.cgi?chk&url="; fast_pattern; classtype:attempted-user; sid:2025223; rev:3; metadata:attack_target IoT, created_at 2018_01_19, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_10_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Generic ADSL Router DNS Change Request"; flow:to_server,established; http.uri; content:"dnsPrimary="; fast_pattern; content:"dnsSecondary="; content:"Enable_DNSFollowing=1"; classtype:attempted-user; sid:2025222; rev:4; metadata:affected_product D_Link_DSL_2640R, attack_target IoT, created_at 2018_01_19, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_10_09;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MobileIron RCE Attempt Inbound (CVE-2020-15505)"; flow:established,to_server; http.uri; content:"|2f 2e 3b 2f|"; fast_pattern; reference:url,blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html; reference:cve,2020-15505; classtype:attempted-admin; sid:2030997; rev:1; metadata:created_at 2020_10_12, cve CVE_2020_15505, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_10_12;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT QNAP Shellshock CVE-2014-6271"; flow:established,to_server; http.uri; content:"authLogin.cgi"; http.header; content:"|28 29 20 7b|"; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019904; rev:5; metadata:created_at 2014_12_10, cve CVE_2014_6271, signature_severity Major, tag CISA_KEV, updated_at 2020_10_13;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Lexmark Printer RDYMSG Cross Site Scripting Attempt"; flow:established,to_server; http.uri; content:"pjl_ready_message="; nocase; fast_pattern; pcre:"/pjl\x5Fready\x5Fmessage\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/i"; reference:url,packetstormsecurity.org/files/view/97265/lexmark-xss.txt; classtype:web-application-attack; sid:2012193; rev:5; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2011_01_15, deployment Datacenter, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_10_13;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-LINK TL-WR340G Router DNS Change GET Request"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/userRpm/WanDynamicIpCfgRpm.htm?"; depth:32; content:"&dnsserver="; content:"&Save=Save"; fast_pattern; reference:url,www.exploit-db.com/exploits/34583; classtype:attempted-admin; sid:2020856; rev:5; metadata:created_at 2015_04_08, signature_severity Major, updated_at 2020_10_13;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Command Injection Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?page=SetMediaDir"; fast_pattern; content:"|3b|"; distance:0; isdataat:1,relative; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031056; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_10_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP Stack-Based Buffer Overflow Attempt Inbound (CVE-2020-3657)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; content:"&"; distance:0; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-3657; classtype:attempted-admin; sid:2031057; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_3657, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_10_19;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Qualcomm QCMAP NULL Pointer Dereference Attempt Inbound (CVE-2020-25858)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/qcmap_web_cgi?"; fast_pattern; pcre:"/^[^=]{1,}$/RUi"; reference:url,www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities; reference:cve,2020-25858; classtype:attempted-admin; sid:2031058; rev:1; metadata:created_at 2020_10_19, cve CVE_2020_25858, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2020_10_19;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ViewUserHover.jspa?username="; fast_pattern; threshold: type limit, count 30, seconds 45, track by_src; reference:cve,2020-14181; classtype:attempted-recon; sid:2031066; rev:2; metadata:created_at 2020_10_21, cve CVE_2020_14181, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Minor, updated_at 2020_10_21;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Information Disclosure Attempt Inbound (CVE-2020-8195)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?filter=path|3a 25|2F"; fast_pattern; http.request_body; content:"<clipermission"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8195; classtype:attempted-admin; sid:2031068; rev:1; metadata:created_at 2020_10_21, cve CVE_2020_8195, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_10_21, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029153; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, cve CVE_2019_17270, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Yachtcontrol Webservers RCE CVE-2019-17270 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pages/sytemcall.php?command=|7c|"; depth:30; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-17270; classtype:attempted-admin; sid:2029152; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_16, cve CVE_2019_17270, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Outbound)"; flow:established,to_server; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029154; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_18396, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Technicolor TD5130v2/TD5336 Router RCE CVE-2019-118396/CVE-2017-14127 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/mnt_ping.cgi?isSubmit=1&addrType=3&pingAddr=|3b|"; depth:46; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-18396; reference:cve,2017-14127; classtype:attempted-admin; sid:2029155; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_18396, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; depth:52; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029156; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible AVCON6 Video Conferencing System RCE (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.action?redirect:${%23a%3d(new%20java.lang.%22"; depth:52; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029157; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, confidence Medium, signature_severity Minor, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029158; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_16072, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Enigma Network Management Systems v65.0.0 CVE-2019-16072 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|7c|"; depth:106; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-16072; classtype:attempted-admin; sid:2029159; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2019_16072, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?plot=|3b|"; depth:17; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029160; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Sar2HTML plotting tool for Linux servers v3.2.1 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/index.php?plot=|3b|"; depth:17; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029161; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, confidence Medium, signature_severity Minor, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Outbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029164; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2017_6316, deployment Perimeter, signature_severity Major, tag CISA_KEV, updated_at 2020_10_26;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Citrix NetScaler SD-WAN 9.1.2.26.561201 Devices CVE-2017-6316 (Inbound)"; flow:established,to_server; urilen:13; http.method; content:"POST"; http.uri; content:"/global_data/"; fast_pattern; http.cookie; content:"`"; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-6316; classtype:attempted-admin; sid:2029165; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2017_6316, deployment Perimeter, signature_severity Major, tag CISA_KEV, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; depth:38; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029166; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2013_5192, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Thomson Reuters Velocity Analytics Vhayu Analytic Servers 6.94 build 2995 CVE-2013-5912 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/VhttpdMgr?action=importFile&fileName="; depth:38; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2013-5192; classtype:attempted-admin; sid:2029167; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2013_5192, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/test?iperf=|3b|"; depth:21; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029168; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT ACTi ASOC 2200 Web Configurators versions <2.6 RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/test?iperf=|3b|"; depth:21; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029169; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utility.cgi?testType=1&IP="; depth:27; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029170; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT 3Com Office Connect Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/utility.cgi?testType=1&IP="; depth:27; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029171; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; depth:44; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029172; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2006_4000, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Barracuda Spam Firewall 3.3.x RCE 2006-4000 (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/preview_email.cgi?file=/mail/mlog/|7c|"; depth:44; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2006-4000; classtype:attempted-admin; sid:2029173; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2006_4000, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccbill/whereami.cgi?g="; within:40; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029174; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT CCBill Online Payment Systems RCE (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ccbill/whereami.cgi?g="; within:40; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; classtype:attempted-admin; sid:2029175; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; depth:53; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029162; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2017_16602, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT NetGain Systems Enterprise Manager CVE-2017-16602 (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u/jsp/tools/exec.jsp?command=cmd+%2Fc+ping&argument="; depth:53; fast_pattern; content:"http"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2017-16602; classtype:attempted-admin; sid:2029163; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_16, cve CVE_2017_16602, deployment Perimeter, signature_severity Major, updated_at 2020_10_26;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Command Injection Attempt Inbound (CVE-2020-26878)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/service/v1/createUser"; startswith; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|22|username|22|"; content:"|3a 20|"; distance:0; pcre:"/^\x22[^\x22]*\x3b[^\x22]*\x22/PR"; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26878; classtype:attempted-user; sid:2031114; rev:2; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26878, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_10_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, cve CVE_2019_7256, deployment Perimeter, signature_severity Major, tag CISA_KEV, updated_at 2020_10_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_31, cve CVE_2019_7256, deployment Perimeter, signature_severity Major, tag CISA_KEV, updated_at 2020_10_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound"; flow:established,to_server; http.uri; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; depth:49; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029215; rev:2; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_10_27;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT InoERP 0.7.2 Unauthenticated Remote Code Execution (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sys/form_personalization/json_fp.php"; fast_pattern; endswith; http.request_body; content:"get_fp_from_form"; content:"exec("; distance:0; nocase; reference:url,github.com/inoerp/inoERP; reference:url,exploit-db.com/exploits/48946; classtype:attempted-admin; sid:2031121; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT InoERP 0.7.2 Unauthenticated Remote Code Execution (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/modules/sys/form_personalization/json_fp.php"; fast_pattern; endswith; http.request_body; content:"get_fp_from_form"; content:"exec("; distance:0; nocase; reference:url,github.com/inoerp/inoERP; reference:url,exploit-db.com/exploits/48946; classtype:attempted-admin; sid:2031122; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_27, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54GL Router DNS Change POST Request"; flow:to_server,established; urilen:10; http.method; content:"POST"; http.uri; content:"/apply.cgi"; endswith; http.request_body; content:"submit_button=index"; depth:19; content:"&action=Apply"; distance:0; nocase; content:"&lan_dns0="; distance:0; fast_pattern; reference:url,www.s3cur1ty.de/node/640; classtype:attempted-admin; sid:2020858; rev:4; metadata:created_at 2015_04_08, signature_severity Major, updated_at 2020_11_02;)

alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12635)"; flow:established,to_server,only_stream; http.method; content:"PUT"; http.uri; content:"/_users/"; http.request_body; content:"_admin"; fast_pattern; reference:cve,2017-12635; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025435; rev:4; metadata:attack_target Server, created_at 2018_03_19, cve CVE_2017_12635, deployment Datacenter, malware_family CoinMiner, signature_severity Major, updated_at 2020_11_05;)

alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)"; flow: established,to_server,only_stream; urilen:26; http.method; content:"PUT"; http.uri; content:"/_config/query_servers/cmd"; http.header; content:"Authorization|3a 20|Basic"; http.request_body; pcre:"/^\s*[\x22\x27]/"; reference:cve,2017-12636; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025432; rev:4; metadata:created_at 2018_03_13, cve CVE_2017_12636, deployment Datacenter, performance_impact Moderate, signature_severity Major, updated_at 2020_11_05;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl"; flow:to_server,established; http.uri; content:".hta"; nocase; fast_pattern; pcre:"/\.hta(?:[?&]|$)/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; depth:34; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2024449; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_07, cve CVE_2017_0199, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_11_05;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"; flow:to_server,established; http.uri; content:"/lang_check.html"; content:"timestamp="; http.request_body; content:"&hidden_lang_avi="; isdataat:36,relative; content:!"|00|"; within:36; content:!"|25|"; within:36; content:!"|26|"; within:36; classtype:attempted-admin; sid:2024121; rev:6; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_03_30, cve CVE_2016_10174, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_11_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit Attempt"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/index"; http.start; content:"Content-length|3a 20|0|0d 0a|Cookie|3a 20|APSCOOKIE=Era=0&Payload="; fast_pattern; pcre:"/^[A-Za-z0-9+/]{0,4}?[^\x20-\x7e]/R"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-length|0d 0a|"; depth:24; content:!"User-Agent|0d 0a|"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept"; classtype:attempted-admin; sid:2023075; rev:4; metadata:affected_product Fortigate, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_11_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Detection Evasion %temp% attempt - Inbound"; flow:to_server,established; http.uri.raw; content:"%"; content:"temp%"; nocase; fast_pattern; within:7; pcre:"/\%(?:25)?temp\%/i"; reference:url,labs.bluefrostsecurity.de/advisories/bfs-sa-2016-001/; classtype:misc-attack; sid:2022554; rev:5; metadata:created_at 2016_02_22, signature_severity Major, updated_at 2020_11_05;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Nexus Repository Manager EL Injection to RCE Inbound (CVE-2020-10204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|action|22 3a 22|"; content:"|22 3a 5b 22 24 5c 5c|"; distance:0; fast_pattern; reference:url,medium.com/@prem2/nexus-repository-manger-3-rce-cve-2020-10204-el-injection-rce-blind-566d902c1616; reference:cve,2020-10204; classtype:attempted-admin; sid:2031190; rev:1; metadata:created_at 2020_11_09, cve CVE_2020_10204, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2020_11_09;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M2"; flow:established,to_server; http.uri; content:"/vpns/"; fast_pattern; http.header; content:"|0d 0a|NSC_USER|3a 20|"; nocase; content:"|0d 0a|NSC_NONCE|3a 20|"; nocase; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029255; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_01_13, cve CVE_2019_19781, deployment Perimeter, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2020_11_10;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M1"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/Telerik.Web.UI.WebResource.axd"; fast_pattern; content:"type=rau"; nocase; distance:0; http.request_body; content:"rauPostData"; nocase; reference:url,github.com/noperator/CVE-2019-18935; reference:cve,2019-18935; classtype:web-application-attack; sid:2029761; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_30, cve CVE_2019_18935, deployment Perimeter, confidence Medium, signature_severity Minor, tag CISA_KEV, updated_at 2020_11_10;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible Telerik UI CVE-2019-18935 File Upload Attempt M2"; http.method; content:"GET"; http.uri; content:"/Telerik.Web.UI.WebResource.axd?dp="; fast_pattern; reference:url,www.exploit-db.com/exploits/43874; classtype:web-application-attack; sid:2029762; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_03_30, cve CVE_2019_18935, deployment Perimeter, confidence Medium, signature_severity Minor, tag CISA_KEV, updated_at 2020_11_10;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Tomcat File Upload Payload Request (CVE-2017-12615)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:".jsp?view="; fast_pattern; content:"&os="; distance:0; content:"&address="; distance:0; reference:cve,2017-12615; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027517; rev:3; metadata:created_at 2019_06_26, cve CVE_2017_12615, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag CISA_KEV, updated_at 2020_11_17, reviewed_at 2024_05_06;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT AVTECH Authenticated Command Injection in CloudSetup.cgi (Outbound)"; flow:to_server,established; http.uri; content:"/cgi-bin/supervisor/CloudSetup.cgi?exefile="; nocase; depth:43; fast_pattern; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2030503; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_07_14, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_11_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M1"; flow:established,to_server; http.uri; content:"/+CSCOT+/translation-table?type=mst&textdomain=/|2b|CSCOE|2b|/"; fast_pattern; content:"&default-language&lang="; distance:0; http.uri.raw; content:"&default-language&lang=../"; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030581; rev:3; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, cve CVE_2020_3452, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_11_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco ASA/Firepower Unauthenticated File Read (CVE-2020-3452) M2"; flow:established,to_server; http.uri; content:"/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform="; fast_pattern; content:"&name=|2b|CSCOE|2b 2f|"; distance:0; http.uri.raw; content:"&platform=..&resource-type=.."; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86; reference:cve,2020-3452; classtype:attempted-user; sid:2030582; rev:2; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_23, cve CVE_2020_3452, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2020_11_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys E1500/E2500 apply.cgi RCE Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/apply.cgi"; depth:10; http.request_body; content:"submit_button="; depth:14; content:"&submit_type=start_ping"; distance:0; fast_pattern; content:"&ping_size="; distance:0; content:"|3b|"; within:30; reference:url,www.exploit-db.com/exploits/24936; classtype:attempted-user; sid:2027099; rev:3; metadata:attack_target IoT, created_at 2019_03_19, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_11_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M1 (CVE-2019-0752)"; flow:established,from_server; http.stat_code; content:"200"; http.content_type; content:"text/html"; startswith; file.data; content:"<script language=|22|"; content:"VBScript"; within:8; nocase; content:"|2e|scrollLeft"; distance:0; content:"|26|h4003|09 27 20|VT_BYREF|20 7c 20|VT_I4"; distance:0; fast_pattern; content:"|28 28 28 28 5c 2e 2e 5c|"; distance:0; content:"Powershell"; within:10; nocase; content:"|26|h40|2c 20 22 23 3e 24|"; within:400; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/slub-gets-rid-of-github-intensifies-slack-use; reference:url,www.zerodayinitiative.com/blog/2019/5/21/rce-without-native-code-exploitation-of-a-write-what-where-in-internet-explorer; reference:cve,CVE-2019-0752; classtype:attempted-admin; sid:2027721; rev:3; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2019_07_17, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_11_18;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; depth:9; endswith; http.request_body; content:"pingstr="; depth:8; fast_pattern; content:"|3b|"; within:25; reference:cve,2013-3568; reference:url,www.exploit-db.com/exploits/28484; classtype:attempted-user; sid:2027097; rev:5; metadata:attack_target IoT, created_at 2019_03_19, cve CVE_2013_3568, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_11_19;)

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted Remote Command Injection Outbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; depth:3; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027454; rev:4; metadata:created_at 2019_06_11, cve CVE_2018_7841, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_11_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Remote Command Injection Inbound (CVE-2018-7841)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/track_import_export.php"; fast_pattern; endswith; http.request_body; content:"op="; depth:3; content:"&object_id=|60|"; within:100; reference:url,unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/; classtype:attempted-admin; sid:2027455; rev:4; metadata:created_at 2019_06_11, cve CVE_2018_7841, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_11_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Inbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; depth:25; endswith; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; fast_pattern; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027486; rev:4; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Belkin Wemo Enabled Crock-Pot Unauthenticated Command Injection Outbound (CVE-2019-12780)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/basicevent1"; depth:25; endswith; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|Belkin|3a|service|3a|basicevent|3a|1|23|SetSmartDevInfo"; within:48; http.request_body; content:"|3c|SmartDevURL|3e 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027487; rev:4; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, performance_impact Low, signature_severity Major, updated_at 2020_11_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Outbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; depth:17; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027488; rev:5; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, malware_family Mirai, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MiCasaVerde VeraLite - Remote Code Execution Inbound (CVE-2016-6255)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upnp/control/hag"; depth:17; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; content:"urn|3a|schemas-micasaverde-org|3a|service|3a|HomeAutomationGateway|3a|1|23|RunLua"; within:67; http.request_body; content:"|3c|Code|3e|os|2e|execute|28 60|"; reference:cve,CVE-2019-12780; reference:md5,d6ebabf44849951d754ee2de15a24b92; reference:url,blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html; classtype:attempted-admin; sid:2027489; rev:5; metadata:attack_target IoT, created_at 2019_06_18, deployment Perimeter, malware_family Mirai, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"ET EXPLOIT Possible LG SuperSign EZ CMS 2.5 RCE (CVE-2018-17173)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/qsrserver/device/getThumbnail?sourceUri=|22|"; depth:42; fast_pattern; content:"|3b|"; within:40; content:"&targetUri="; distance:0; content:"&scaleType="; distance:0; reference:url,www.exploit-db.com/exploits/45448; reference:cve,2018-17173; classtype:attempted-admin; sid:2027089; rev:5; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2018_17173, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_11_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Nagios XI Remote Code Execution 3"; flow:established,to_server; http.uri; content:"/index.php?cmd=submitcommand&command="; content:"&command_data=$("; fast_pattern; reference:url,2018-8733; reference:cve,2018-8734; reference:cve,2018-8735; reference:cve,2018-8736; reference:url,exploit-db.com/exploits/44969/; classtype:attempted-user; sid:2025776; rev:4; metadata:attack_target Server, created_at 2018_07_03, cve CVE_2018_8734, deployment Datacenter, confidence Medium, signature_severity Critical, updated_at 2020_11_19, reviewed_at 2024_04_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection"; flow:to_server,established; http.uri; content:"/handle_iscsi.php"; http.request_body; content:"act=discover&address="; fast_pattern; pcre:"/[^&]*(?:\x60|\x24)/R"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026107; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, confidence High, signature_severity Major, updated_at 2020_11_19, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)"; flow:established,from_server; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; content:"application/hta"; fast_pattern; nocase; bsize:15; classtype:trojan-activity; sid:2024197; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2020_11_19;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Metasploit CVE-2012-4792 EIP in URI IE 8"; flow:established,to_server; http.uri.raw; content:"/%E0%AC%B0%E0%B0%8C"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016136; rev:6; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_12_31, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, tag CISA_KEV, updated_at 2020_11_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Zollard PHP Exploit UA Outbound"; flow:established,to_server; http.user_agent; content:"Zollard"; nocase; fast_pattern; reference:cve,2012-1823; reference:url,blogs.cisco.com/security/the-internet-of-everything-including-malware/; classtype:trojan-activity; sid:2017825; rev:6; metadata:created_at 2013_12_10, cve CVE_2012_1823, signature_severity Major, updated_at 2020_11_19;)

#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Unknown Router Remote DNS Change Attempt"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/setup.htm"; nocase; http.request_body; content:"wan_proto=dhcp"; nocase; content:"dhcps_dns_1="; nocase; fast_pattern; content:"dhcps_mode=enabled"; nocase; content:"lan_proto=enable"; nocase; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; classtype:attempted-admin; sid:2023468; rev:6; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_11_19;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT AsusWRT RT-AC750GF Cross-Site Request Forgery"; flow:from_server,established; file.data; content:"<form action=|22|http://router.asus.com/findasus.cgi|22 20|method=|22|POST|22|>"; nocase; content:"name=|22|action_mode|22 20|value=|22|refresh_networkmap|22|"; nocase; distance:0; content:"start_apply.htm?productid="; nocase; distance:0; content:"&current_page=Advanced_System_Content.asp"; nocase; distance:0; content:"&next_page=Advanced_System_Content.asp"; nocase; distance:0; fast_pattern; content:"&action_mode=apply"; nocase; distance:0; content:"&http_username="; nocase; distance:0; content:"&http_passwd="; nocase; distance:0; content:"&sshd_enable="; nocase; distance:0; reference:url,www.exploit-db.com/exploits/44937/; classtype:web-application-attack; sid:2025736; rev:5; metadata:attack_target Networking_Equipment, created_at 2018_06_25, deployment Perimeter, signature_severity Major, updated_at 2020_12_03;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Forms/dns_1?"; fast_pattern; content:"Enable_DNSFollowing=1"; distance:0; content:"dnsPrimary="; distance:0; reference:url,www.exploit-db.com/exploits/35917; classtype:attempted-admin; sid:2023466; rev:8; metadata:created_at 2015_01_29, signature_severity Major, updated_at 2020_12_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenMRS Deserialization Vulnerability CVE-2018-19276 M2"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"<string>"; content:"</string>"; distance:0; content:"<string>"; distance:0; content:"</string>"; distance:0; content:"com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data"; fast_pattern; reference:url,www.exploit-db.com/exploits/46327; reference:cve,2018-19276; classtype:attempted-admin; sid:2031259; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2020_12_04, cve CVE_2018_19276, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_12_04, reviewed_at 2024_05_06;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 401TRG Liferay RCE (CVE-2020-7961)"; flow:established,to_server; http.uri; content:"/api/jsonws/expandocolumn/update-column"; nocase; http.request_body; content:"userOverridesAsString=HexAsciiSerializedMap"; nocase; fast_pattern; reference:cve,2020-7961; reference:url,www.synacktiv.com/en/publications/how-to-exploit-liferay-cve-2020-7961-quick-journey-to-poc.html; classtype:attempted-admin; sid:2031318; rev:1; metadata:created_at 2020_12_11, cve CVE_2020_7961, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2020_12_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli) M2"; flow:established,to_server; http.header; content:"JDatabaseDriverMysqli"; fast_pattern; content:"JSimplepieFactory"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2031319; rev:1; metadata:created_at 2020_12_11, confidence Medium, signature_severity Major, updated_at 2020_12_11;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Silver Peak Unity Orchestrator Exploitation Inbound (CVE-2020-12146)"; flow:established,to_server; pcre:"/(localhost|127\.0\.0\.1)/W"; http.method; content:"POST"; http.uri; content:"/gms/rest/debugFiles/delete"; startswith; http.request_body; content:"../phantomGenImg.js"; fast_pattern; reference:cve,CVE-2020-12145; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-12146/CVE-2020-12146.rules; reference:cve,CVE-2020-12146; reference:cve,2020-12146; classtype:attempted-admin; sid:2031494; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_12146, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2021_01_07;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] 8000 (msg:"ET EXPLOIT SaltStack Salt Exploitation Inbound (CVE-2020-16846)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; startswith; http.request_body; content:"client=ssh"; fast_pattern; content:"ssh_priv="; content:"%20"; distance:0; reference:cve,CVE-2020-16846; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-16846/CVE-2020-16846.rules; reference:cve,2020-16846; classtype:web-application-attack; sid:2031495; rev:1; metadata:attack_target Server, created_at 2021_01_07, cve CVE_2020_16846, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_01_07;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Microsoft Exchange Server Exploitation Inbound (CVE-2020-17132)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ecp/DLPPolicy/ManagePolicyFromISV.aspx"; startswith; http.request_body; content:"ctl00$ResultPanePlaceHolder$contentContainer$upldCtrl"; content:"[Diagnostics.Process]::start|28|"; distance:0; reference:cve,CVE-2020-17132; reference:url,github.com/sudohyak/suricata-rules/blob/main/CVE-2020-17132/CVE-2020-17132.rules; reference:cve,2020-17132; classtype:attempted-admin; sid:2031506; rev:2; metadata:attack_target Server, created_at 2021_01_08, cve CVE_2020_17132, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_01_08;)

alert http any any -> any any (msg:"ET EXPLOIT Microsoft Exchange Server Exploitation (CVE-2020-17141)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ews/Exchange.asmx"; startswith; http.request_body; content:"<m:RouteComplaint|20|"; content:"<m:Data>"; distance:0; base64_decode:bytes 300, offset 0, relative; base64_data; content:"<!DOCTYPE"; content:"SYSTEM"; distance:0; classtype:web-application-attack; sid:2031507; rev:1; metadata:attack_target Server, created_at 2021_01_08, cve CVE_2020_17141, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2023_04_19;)

#alert tcp any any -> any any (msg:"ET EXPLOIT Possible NTFS Index Attribute Corruption Vulnerability"; flow:established; file_data; content:"|63 3a 5c 3a 24 69 33 30 3a 24 62 69 74 6d 61 70|"; classtype:attempted-admin; sid:2031526; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_01_15, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Informational, updated_at 2021_01_15;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [401TRG] DeDeCMS RFI Attempt"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data"; http.uri; content:"/select_soft_post.php"; nocase; http.request_body; content:"cfg_basedir"; nocase; content:"uploadfile"; nocase; content:"upload"; nocase; reference:cve,2010-1097; reference:url,www.exploit-db.com/exploits/33685; classtype:attempted-admin; sid:2031527; rev:2; metadata:created_at 2021_01_19, cve CVE_2010_1097, confidence High, signature_severity Major, updated_at 2021_01_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Zend Framework Exploit (CVE-2021-3007)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/zend3/public/"; bsize:14; fast_pattern; http.request_body; content:"zend"; nocase; content:"validator"; nocase; distance:0; content:"callback"; nocase; distance:0; content:"file_put_contents"; nocase; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2021-3007; classtype:attempted-admin; sid:2031536; rev:1; metadata:created_at 2021_01_22, cve CVE_2021_3007, confidence Medium, signature_severity Major, updated_at 2021_01_22;)

alert http any any -> any any (msg:"ET EXPLOIT Suspected SAP EEM SOLMAN RCE (CVE-2020-6207)"; flow:established,to_server; http.uri; content:"/EemAdminService/EemAdmin"; startswith; fast_pattern; http.request_body; content:"getruntime|28 29 2e|exec"; nocase; content:"processbuilder|28|"; nocase; reference:url,github.com/chipik/SAP_EEM_CVE-2020-6207; classtype:attempted-admin; sid:2031546; rev:1; metadata:created_at 2021_01_25, cve CVE_2020_6207, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_01_25;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT VisualDoor Sonicwall SSL VPN Exploit Attempt"; flow:established,to_server; http.uri; content:"/cgi-bin/jarrewrite.sh"; endswith; fast_pattern; http.user_agent; content:"|28 29 20 7b|"; reference:url,darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/; reference:cve,2014-6271; classtype:attempted-admin; sid:2031543; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_25, cve CVE_2014_6271, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2021_01_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle WebLogic JNDI Injection RCE Attempt (CVE-2021-2109)"; flow:established,to_server; http.uri; content:"/consolejndi.portal?"; content:"_pageLabel=JNDIBindingPageGeneral"; content:"_nfpb=true"; content:"JNDIBindingPortletHandle=com.bea.console.handles.JndiBindingHandle("; content:"ldap|3a 2f 2f|"; distance:0; within:20; content:"|3b|AdminServer"; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw; reference:cve,2021-2109; reference:url,packetstormsecurity.com/files/161053/Oracle-WebLogic-Server-14.1.1.0-Remote-Code-Execution.html; classtype:attempted-user; sid:2031532; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_20, cve CVE_2021_2109, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_01_26, reviewed_at 2024_05_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zimbra <8.8.11 - XML External Entity Injection/SSRF Attempt (CVE-2019-9621)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover"; nocase; http.request_body; content:"<!DOCTYPE"; depth:50; content:"file:///etc/passwd"; distance:0; fast_pattern; content:"<EMailAddress>"; content:"<AcceptableResponseSchema>"; reference:url,www.exploit-db.com/exploits/46967; reference:url,packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html; reference:cve,2019-9621; reference:cve,2021-2109; classtype:attempted-user; sid:2031562; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_27, cve CVE_2021_2109, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_01_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PHP-CGI Query String Parameter Vuln Inbound (CVE-2012-2311)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E"; fast_pattern; reference:url,www.kb.cert.org/vuls/id/520827; reference:cve,2012-2311; classtype:attempted-user; sid:2031563; rev:1; metadata:affected_product PHP, attack_target Client_Endpoint, created_at 2021_01_27, cve CVE_2012_2311, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_01_27;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ZyXEL P660HN-T v1 RCE  (CVE-2017-18368)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/ViewLog.asp"; depth:20; endswith; http.request_body; content:"remote_submit_Flag="; depth:19; content:"&remote_host="; distance:0; content:"&remoteSubmit=Save|0d 0a 0d 0a|"; endswith; fast_pattern; reference:url,seclists.org/fulldisclosure/2017/Jan/40; reference:cve,2017-18368; reference:url,github.com/pedrib/PoC/blob/master/advisories/zyxel_trueonline.txt; classtype:attempted-user; sid:2027092; rev:5; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2017_18368, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_02_16;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSMTPD RCE Inbound (CVE-2020-7247)"; flow:established,to_server; content:"MAIL|20|FROM|3a|<|3b|"; fast_pattern; reference:url,blog.qualys.com/vulnerabilities-research/2020/01/29/openbsd-opensmtpd-remote-code-execution-vulnerability-cve-2020-7247; reference:cve,2020-7247; classtype:attempted-admin; sid:2031621; rev:1; metadata:attack_target SMTP_Server, created_at 2021_02_17, cve CVE_2020_7247, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_02_17;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M1 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|..|5c|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031667; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_02_25;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M2 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|..|2f|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031668; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_02_25;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt with Untrusted SSH Key Upload (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:".tar|22|"; content:"|0d 0a|."; distance:0; content:"|2f|.ssh|2f|authorized_keys"; distance:0; within:100; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031669; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_02_25;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M3 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|.|5c|"; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031670; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_02_25;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound VMware vCenter RCE Attempt M4 (CVE-2021-21972)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/vropspluginui/rest/services/uploadova"; endswith; fast_pattern; http.request_body; content:"|0d 0a|.|2f|"; distance:0; reference:url,swarm.ptsecurity.com/unauth-rce-vmware/; reference:cve,2021-21972; classtype:attempted-admin; sid:2031671; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_02_25, cve CVE_2021_21972, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_02_25;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound Hashicorp Consul RCE via Services API"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"v1/agent/service/register"; fast_pattern; http.request_body; content:"|22|sh|22|"; content:"|22|-c|22|"; reference:url,www.exploit-db.com/exploits/46074; classtype:attempted-admin; sid:2031675; rev:1; metadata:attack_target Web_Server, created_at 2021_02_26, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_02_26;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT COMTREND ADSL Router CT-5367 Remote DNS Change Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dnscfg.cgi?"; fast_pattern; nocase; content:"dnsPrimary="; content:"dnsRefresh="; nocase; reference:url,www.expku.com/remote/5853.html; classtype:attempted-admin; sid:2023467; rev:4; metadata:attack_target Client_Endpoint, created_at 2016_10_31, deployment Perimeter, signature_severity Major, updated_at 2021_03_03;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT DNS Change Attempt (Unknown Device)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/advWAN.cgi"; startswith; http.request_body; content:"tAction=editApply"; content:"viewPage=multiWANCfg"; content:"action=edit"; content:"dns1="; content:"dns2="; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031804; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2021_03_03, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_03;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/form2dns.cgi?dnsmode=1&dns1="; nocase; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&submit.htm?dns.htm=send&save="; fast_pattern; distance:0; nocase; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027907; rev:4; metadata:attack_target Networking_Equipment, created_at 2019_08_23, deployment Perimeter, performance_impact Moderate, signature_severity Major, updated_at 2021_03_04;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt M2"; flow:established,to_server; http.uri; content:"/form2wan.cgi?wantype=1"; nocase; content:"&wan_dns2="; distance:0; content:"&wan_dns3="; distance:0; content:"&submit.htm"; distance:0; content:"wan.htm=send&save="; fast_pattern; distance:0; nocase; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031808; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_04, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_04;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DI-804HV DNS Changer Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/prim"; startswith; content:"prim&rf=0004&"; fast_pattern; content:"&ID00="; distance:0; content:"&ID01="; distance:0; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031809; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2021_03_04, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag DNS_Hijack, updated_at 2021_03_04;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Unauthenticated RCE Inbound (CVE-2020-26919)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.htm"; http.request_body; content:"submitId=debug&debugCmd="; startswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-26919; classtype:attempted-admin; sid:2031936; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_26919, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_03_11;)

alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Remote Authentication Bypass with Factory Reset (CVE-2020-35231)"; dsize:13; content:"|00 1a 00 00 04 00 00 01 01 ff ff 00 00|"; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35231; classtype:attempted-admin; sid:2031937; rev:2; metadata:created_at 2021_03_11, cve CVE_2020_35231, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_03_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Buffer Overflow (CVE-2020-35232)"; dsize:>16; content:"|00 1a 00 0a|"; startswith; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35232; classtype:attempted-admin; sid:2031938; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35232, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, updated_at 2023_04_05;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Stored XSS Inbound (CVE-2020-35228)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"submitId=multiLanguageCfg&selectLang="; fast_pattern; content:"|27 3a|"; distance:0; within:50; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35228; classtype:attempted-admin; sid:2031939; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_03_11;)

alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Write Access to DHCP Config (CVE-2020-35226)"; content:"|00 0b 00|"; content:"|ff ff 00 00|"; distance:2; within:4; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031940; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35226, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_03_11;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Possible Integer Overflow Attempt Inbound M1 (CVE-2020-35230)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portbased_basic.htm"; http.request_body; content:"submitId="; content:"&bPortBasedVLAN="; fast_pattern; content:"&groupId=-"; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35230; classtype:attempted-admin; sid:2031941; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35230, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_03_11;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear ProSAFE Plus Possible Integer Overflow Attempt Inbound M2 (CVE-2020-35230)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portbased_basic.htm"; http.request_body; content:"submitId="; content:"&bPortBasedVLAN="; fast_pattern; content:"&memBMap=-"; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35230; classtype:attempted-admin; sid:2031942; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35230, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_03_11;)

alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x0003 (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 03|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031943; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, updated_at 2021_03_11;)

alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x0005 (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 05|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031944; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, updated_at 2021_03_11;)

alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Write Command Buffer Overflow Attempt - 0x000a (CVE-2020-35225)"; content:"|00 1a 00|"; startswith; content:"|00 0a|"; content:"|ff|"; distance:1; within:1; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35226; classtype:attempted-admin; sid:2031945; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35225, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, updated_at 2021_03_11;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M2"; flow:established,to_server; http.request_line; content:"POST /logupload"; startswith; fast_pattern; http.request_body; content:"name=|22|logMetaData|22|"; content:"itrLogPath"; content:"name=|22|logfile|22 3b|"; content:"log_upload_wsgi.py"; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:url,attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece; reference:cve,2021-21978; classtype:attempted-admin; sid:2032008; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Datacenter, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2021_03_15;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1"; flow:established,to_server; http.request_line; content:"POST /logupload?logMetaData="; startswith; fast_pattern; content:"itrLogPath"; content:"log_upload_wsgi.py"; http.request_body; content:"name=|22|logfile|22 3b|"; reference:url,paper.seebug.org/1495/; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:cve,2021-21978; classtype:attempted-admin; sid:2032009; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2021_03_15;)

alert http any any -> any any (msg:"ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/web_shell_cmd.gch"; fast_pattern; http.request_body; content:"IF_ACTION=apply&IF_ERRORSTR=SUCC&"; startswith; reference:url,twitter.com/bad_packets/status/1235106406144937984; reference:cve,2014-2321; reference:url,github.com/stasinopoulos/ZTExploit/; classtype:attempted-user; sid:2032077; rev:2; metadata:affected_product Router, attack_target IoT, created_at 2021_03_16, cve CVE_2014_2321, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_03_16;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Unauthenticated RCE Inbound (CVE-2021-22986)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mgmt/"; http.request_body; content:"|22|filepath|22 3a 22 60|"; fast_pattern; reference:cve,2021-22986; classtype:attempted-admin; sid:2032092; rev:1; metadata:attack_target Server, created_at 2021_03_17, cve CVE_2021_22986, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_03_17;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible F5 BIG-IP Infoleak and Out-of-Bounds Write Inbound (CVE-2021-22991)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|3a 2f 2f 5b|"; fast_pattern; content:"|5d|"; endswith; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=2126; reference:cve,2021-22991; classtype:attempted-admin; sid:2032173; rev:1; metadata:attack_target Server, created_at 2021_03_18, cve CVE_2021_22991, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_03_18;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [NCC/FOX-IT] Possible F5 BIG-IP/BIG-IQ iControl REST RCE Attempt (CVE-2021-22986)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/mgmt/tm/util/bash"; nocase; fast_pattern; http.request_body; content:"|22|command|22 3a 20 22|run|22|"; content:"|22|utilCmdArgs|22 3a 20 22|"; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2021_03_cve_2021_22986.txt; reference:cve,2021-22986; classtype:attempted-admin; sid:2032220; rev:1; metadata:created_at 2021_03_19, cve CVE_2021_22986, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_03_19;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Vantage Velocity Field Unit RCE Inbound (CVE-2020-9020)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/timeconfig.py?"; fast_pattern; content:"|3b|"; distance:0; reference:url,unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/; reference:cve,2020-9020; classtype:attempted-admin; sid:2032314; rev:1; metadata:created_at 2021_03_24, cve CVE_2020_9020, confidence Medium, signature_severity Major, updated_at 2021_03_24;)

alert udp any any -> $HOME_NET 1900 (msg:"ET EXPLOIT DD-WRT UPNP Unauthenticated Buffer Overflow (CVE-2021-27137)"; content:"M-SEARCH|20|"; startswith; content:"|0d 0a|ST|3a|"; nocase; fast_pattern; content:"uuid|3a|"; distance:0; within:6; pcre:"/^[^\r\n]{128,}\r\n/R"; reference:url,ssd-disclosure.com/ssd-advisory-dd-wrt-upnp-buffer-overflow/; reference:cve,2021-27137; classtype:attempted-admin; sid:2032326; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_25, cve CVE_2021_27137, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2021_03_25;)

#alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26877)"; content:"|2e 95|"; offset:2; depth:2; content:"|00 10 00 01|"; distance:0; fast_pattern; byte_extract:1,5,data_len,relative; byte_test:1,>,data_len,0,relative; reference:cve,2021-26877; classtype:attempted-admin; sid:2032347; rev:2; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26877, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_03_30;)

alert tcp any any -> $DNS_SERVERS 53 (msg:"ET EXPLOIT Windows DNS Server RCE Attempt Inbound (CVE-2021-26897)"; dsize:>1300; content:"|29 00|"; offset:2; depth:2; threshold:type limit, count 45, seconds 90, track by_src; reference:cve,2021-26897; classtype:attempted-admin; sid:2032348; rev:1; metadata:attack_target DNS_Server, created_at 2021_03_30, cve CVE_2021_26897, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_03_30;)

#alert tcp any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible OpenSSL TLSv1.2 DoS Inbound (CVE-2021-3449)"; flow:established,to_server; tls.version:1.2; ssl_state:client_hello; content:!"|00 0d|"; content:"|00 32 00|"; content:"|ff 01 00 01 00|"; distance:0; fast_pattern; reference:cve,2021-3449; classtype:denial-of-service; sid:2032358; rev:1; metadata:affected_product OpenSSL, created_at 2021_04_01, cve CVE_2021_3449, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_04_01;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Trend Micro IWSVA Unauthenticated Command Injection Inbound (CVE-2020-8466)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"uid="; startswith; content:"passwd=|60|"; fast_pattern; reference:url,packetstormsecurity.com/files/160602/Trend-Micro-IWSVA-CSRF-XSS-Bypass-SSRF-Code-Execution.html; reference:cve,2020-8466; classtype:attempted-admin; sid:2032533; rev:1; metadata:attack_target Server, created_at 2021_04_08, cve CVE_2020_8466, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_04_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Inbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032636; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_04_09;)

alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT Mitsubishi Electric smartRTU RCE Outbound (CVE-2019-14931)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/action.php"; http.request_body; content:"|7b 27|host|27 20 3a 20 27 3b|"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-echobot-resurfaces-with-13-previously-unexploited-vulnerabilities/; reference:cve,2019-14931; classtype:attempted-admin; sid:2032637; rev:1; metadata:created_at 2021_04_09, cve CVE_2019_14931, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_04_09;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Klog Server Command Injection Inbound (CVE-2021-3317)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/async.php?action="; content:"&source=|3b|"; fast_pattern; reference:cve,2021-3317; classtype:attempted-admin; sid:2032638; rev:1; metadata:attack_target Server, created_at 2021_04_09, cve CVE_2021_3317, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_04_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT ScadaBR RCE with JSP Shell Inbound (CVE-2021-26828)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ScadaBR/view_edit.shtm"; fast_pattern; http.request_body; content:"|22|view.name|22|"; content:"|0d 0a 0d 0a|"; content:"|3c 25 40|"; distance:0; within:5; reference:url,github.com/hevox/CVE-2021-26828_ScadaBR_RCE/blob/main/LinScada_RCE.py; reference:cve,2021-26828; classtype:attempted-admin; sid:2032766; rev:1; metadata:attack_target Server, created_at 2021_04_15, cve CVE_2021_26828, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_04_15;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Advantech iView RCE Setup via Config Overwrite Inbound (CVE-2021-22652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/iView3/NetworkServlet"; fast_pattern; http.request_body; content:"page_action"; startswith; content:"|22|EXPORTPATH|22 3a 20 22|webapps|5c 5c|iView3|5c 5c 22|"; reference:url,www.rapid7.com/blog/post/2021/02/11/cve-2021-22652-advantech-iview-missing-authentication-rce-fixed/; reference:cve,2021-22652; classtype:attempted-admin; sid:2032767; rev:1; metadata:attack_target Web_Server, created_at 2021_04_15, cve CVE_2021_22652, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_04_15;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation Inbound M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".config"; endswith; http.request_body; content:"CMD=CONFIG&GO=index.asp&TYPE=CONFIG"; fast_pattern; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032780; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, confidence High, signature_severity Major, updated_at 2021_04_19;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation Inbound M2"; flow:established,to_server; flowbits:set,ZBLEPON.1; http.method; content:"GET"; http.uri; content:"/system_password.asp"; endswith; fast_pattern; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032781; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, confidence High, signature_severity Major, updated_at 2021_04_19;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT ZBL EPON ONU Broadband Router Remote Privilege Escalation - Responding with Superuser Credentials"; flow:established,from_server; flowbits:isset,ZBLEPON.1; http.stat_code; content:"200"; file_data; content:"1|3b|super|3b|"; fast_pattern; content:"1|3b|admin|3b|"; reference:url,packetstormsecurity.com/files/162065/ZSL-2021-5467.txt?fbclid=IwAR1tqSxa3jMQFiV3Kipj3pzIei4ucuIZv2tMzqCiYtoYrIxN4GgZBEgfquQ; classtype:attempted-admin; sid:2032782; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_04_19, confidence High, signature_severity Major, updated_at 2021_04_19;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Zyxel Authentication Bypass Inbound (CVE-2021-3297)"; http.method; content:"GET"; http.uri; content:"/login_ok.htm"; fast_pattern; http.cookie; content:"login=1"; reference:url,github.com/Sec504/Zyxel-NBG2105-CVE-2021-3297; reference:cve,2021-3297; classtype:attempted-user; sid:2032523; rev:2; metadata:created_at 2021_04_06, cve CVE_2021_3297, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_04_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $HOME_NET any -> $HOME_NET 80 (msg:"ET EXPLOIT Possible Local Active Directory Federation Services (AD FS) Replication Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/adfs/services/policystoretransfer"; startswith; fast_pattern; threshold:type limit,track by_src,count 1,seconds 600; reference:url,fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html; classtype:web-application-attack; sid:2032884; rev:1; metadata:attack_target Server, created_at 2021_04_28, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_04_28;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange RCE Setup Inbound (CVE-2021-28482)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/Exchange.asmx"; http.request_body; content:"ProposeOptionsMeeting"; content:"&quot|3b|&gt|3b|cmd"; distance:0; fast_pattern; content:"Value&gt|3b|"; distance:0; reference:cve,2021-28482; classtype:attempted-admin; sid:2032897; rev:1; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_05_04, cve CVE_2021_28482, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_12_23;)

alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim receive_msg Integer Overflow Attempt Inbound M1 (CVE-2020-28020)"; flow:established,to_server; content:"|0a 20|"; content:"|0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a|"; fast_pattern; isdataat:50000,relative; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28020; classtype:attempted-admin; sid:2032898; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28020, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_05_04;)

alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim receive_msg Integer Overflow Attempt Inbound M2 (CVE-2020-28020)"; flow:established,to_server; content:"|0a 09|"; content:"|0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a|"; fast_pattern; isdataat:50000,relative; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28020; classtype:attempted-admin; sid:2032899; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28020, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2021_05_04;)

alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound M1 (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^[^\+]+\+0A/R"; content:"+0A"; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032900; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_05_04;)

alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound M2 (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^[^\+]+(?:\+[A-F0-9]{2}){4,}/R"; content:"+0A"; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032901; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_05_04;)

alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim New-Line Injection into Spool Header File Inbound - Information Disclosure Attempt (CVE-2020-28021)"; flow:established,to_server; content:"MAIL|20|FROM"; content:"AUTH="; distance:0; pcre:"/^.{0,100}\+0A.{0,100}\x40/R"; content:"+0A"; fast_pattern; content:"|40|"; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28021; classtype:attempted-admin; sid:2032902; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28021, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_05_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

alert smtp any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Exim Stack Exhaustion via BDAT Error Inbound (CVE-2020-28019)"; flow:established,to_server; content:"BDAT|20|"; pcre:"/^[^\r\n]{50,}/R"; content:"BDAT|20|"; distance:0; fast_pattern; reference:url,www.qualys.com/2021/05/04/21nails/21nails.txt; reference:cve,2020-28019; classtype:attempted-admin; sid:2032903; rev:1; metadata:attack_target SMTP_Server, created_at 2021_05_04, cve CVE_2020_28019, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_05_04;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M1"; flow:established,to_server; http.uri; content:"/dana"; depth:7; fast_pattern; pcre:"/^\S{0,7}\/(?:meeting|fb\/smb|namedusers|metric)/Ri"; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:attempted-admin; sid:2032904; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_05_05, cve CVE_2021_22893, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_05_05;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M2"; flow:established,to_server; http.uri.raw; content:"/dana-na/"; depth:11; content:"cat%20/home/webserver/htdocs/dana-na/"; nocase; distance:2; within:100; fast_pattern; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:attempted-admin; sid:2032905; rev:1; metadata:affected_product Pulse_Secure, attack_target Networking_Equipment, created_at 2021_05_05, cve CVE_2021_22893, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_05_05;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [FIREEYE] Suspicious Pulse Secure HTTP Request (CVE-2021-22893) M3"; flow:established,to_server; content:"MIME|3a 3a|Base64|3b|"; nocase; http.uri; content:"/dana-na/"; depth:11; fast_pattern; content:!"welcome.cgi"; reference:url,github.com/fireeye/pulsesecure_exploitation_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; reference:cve,2021-22893; classtype:trojan-activity; sid:2032906; rev:1; metadata:affected_product Pulse_Secure, created_at 2021_05_05, cve CVE_2021_22893, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_05_05;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE (CVE-2021-31166), http.sys DOS (CVE-2022-21907) Inbound"; flow:established,to_server; http.accept_enc; content:",|20|,"; fast_pattern; reference:url,github.com/0vercl0k/CVE-2021-31166; reference:cve,2021-31166; classtype:attempted-admin; sid:2032962; rev:1; metadata:attack_target Server, created_at 2021_05_17, cve CVE_2021_31166, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_05_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT QNAP MusicStation Pre-Auth RCE Inbound (CVE-2020-36197)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/musicstation/api/upload.php?arttype=../../"; fast_pattern; reference:url,www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/; reference:cve,2020-36197; classtype:attempted-admin; sid:2033013; rev:2; metadata:created_at 2021_05_24, cve CVE_2020_36197, confidence High, signature_severity Major, updated_at 2021_05_24;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/Action/TestAction"; fast_pattern; http.request_body; content:"$type|22 3a 20 22|System.Byte|5b 5d|,|20|mscorlib"; content:"$value|22 3a 20 22|"; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; reference:cve,2021-31474; classtype:attempted-admin; sid:2033035; rev:1; metadata:attack_target Server, created_at 2021_05_27, cve CVE_2021_31474, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2021_05_27;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Attempt to clear logs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|"; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033079; rev:1; metadata:attack_target Web_Server, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_06_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033080; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_06_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Attempt to clear logs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033081; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_06_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033082; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_06_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Command Injection Attempt Inbound (CVE-2019-1652)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"certificate_handle2.htm?type=4"; fast_pattern; http.request_body; content:"|22|common_name|22 3a|"; nocase; content:"|27 24 28|"; distance:0; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1652; classtype:attempted-admin; sid:2033088; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1652, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_06_04, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Config Disclosure Attempt Inbound (CVE-2019-1653)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/config.exp"; endswith; fast_pattern; flowbits:set,ET.cve20191653.1; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033089; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_06_04;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful Cisco RV320/RV325 Config Disclosure (CVE-2019-1653)"; flow:established,from_server; file.data; content:"sysconfig"; flowbits:isset,ET.cve20191653.1; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033090; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_06_04;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Cisco RV320/RV325 Debug Dump Disclosure Attempt Inbound (CVE-2019-1653)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/export_debug_msg.exp"; endswith; fast_pattern; http.request_body; content:"submitdebugmsg|22 3a 20 22|1|22|"; flowbits:set,ET.cve20191653.2; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033091; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_06_04;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful Cisco RV320/RV325 Debug Dump Disclosure (CVE-2019-1653)"; flow:established,from_server; file.data; content:"Salted__"; flowbits:isset,ET.cve20191653.2; reference:url,github.com/0x27/CiscoRV320Dump; reference:cve,2019-1653; classtype:attempted-admin; sid:2033092; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_06_04, cve CVE_2019_1653, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_06_04;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/checkValid"; http.request_body; content:"document=this.constructor"; content:"execSync"; distance:0; fast_pattern; reference:cve,2019-10758; reference:url,github.com/masahiro331/CVE-2019-10758; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033113; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, cve CVE_2019_10758, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_06_08;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT XXL-Job RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/run"; http.request_body; content:"GLUE_SHELL"; nocase; fast_pattern; content:"glueSource"; nocase; content:"glueUpdatetime"; nocase; reference:url,github.com/jas502n/xxl-job; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033115; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_06_08;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jboss RCE (CVE-2017-12149)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/readonly"; fast_pattern; http.request_body; content:"java.util.HashSet"; reference:cve,2017-12149; reference:url,github.com/gottburgm/Exploits/blob/master/CVE-2017-12149/CVE_2017_12149.pl#L180; classtype:attempted-admin; sid:2033118; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_09, cve CVE_2017_12149, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_06_09;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Atlassian Jira Unauth User Enumeration Attempt (CVE-2020-36289)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/QueryComponentRendererValue!Default.jspa?assignee=user|3a|admin"; fast_pattern; endswith; reference:url,jira.atlassian.com/browse/JRASERVER-71559; reference:cve,2020-36289; reference:url,twitter.com/ptswarm/status/1402644004781633540/photo/1; classtype:attempted-admin; sid:2033136; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_11, cve CVE_2020_36289, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_06_11, reviewed_at 2024_05_06;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Command Injection Attempt Inbound (Possible Mirai Activity)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/op_type="; startswith; fast_pattern; content:"|3b|"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; classtype:attempted-user; sid:2033272; rev:1; metadata:created_at 2021_07_07, confidence Medium, signature_severity Major, updated_at 2021_07_07, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Vulnerability Exploit Attempt (Possible Mirai Activity)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/"; startswith; http.request_body; content:"key=|27 3b 60|"; startswith; fast_pattern; content:"wget"; distance:0; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; classtype:attempted-admin; sid:2033273; rev:1; metadata:attack_target Server, created_at 2021_07_07, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_07_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OptiLink ONT1GEW GPON RCE Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boaform/admin/"; pcre:"/^form(?:Ping|Tracert)$/R"; http.request_body; content:"target_addr=|22|"; fast_pattern; content:"|60|"; distance:0; reference:url,packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html; classtype:attempted-admin; sid:2033280; rev:2; metadata:created_at 2021_07_08, confidence High, signature_severity Major, updated_at 2021_07_08;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT OptiLink ONT1GEW GPON RCE Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boaform/admin/"; pcre:"/^form(?:Ping|Tracert)$/R"; http.request_body; content:"target_addr=|22|"; fast_pattern; content:"|60|"; distance:0; reference:url,packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html; classtype:attempted-admin; sid:2033281; rev:1; metadata:created_at 2021_07_08, confidence High, signature_severity Major, updated_at 2021_07_08;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX RCE Inbound (CVE-2021-1498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/storfs-asup"; fast_pattern; http.request_body; content:"&token="; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-1498; classtype:attempted-admin; sid:2033282; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_1498, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_07_08;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Cisco HyperFlex HX RCE Outbound (CVE-2021-1498)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/storfs-asup"; fast_pattern; http.request_body; content:"&token="; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-1498; classtype:attempted-admin; sid:2033283; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_1498, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_07_08;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Trenda Router AC11 RCE Outbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; content:"|3b|"; distance:0; within:40; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:cve,2021-31755; classtype:attempted-admin; sid:2033285; rev:1; metadata:created_at 2021_07_08, cve CVE_2021_31755, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_07_08;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033294; rev:2; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - certmngr.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/certmngr.cgi?action=createselfcert&"; fast_pattern; content:"&state=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033295; rev:2; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033296; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - factory.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/factory.cgi?"; fast_pattern; content:"preserve=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033297; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033298; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - language.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/language.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033299; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem.cgi?"; fast_pattern; content:"environment.lang=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033300; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - oem.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem.cgi?"; fast_pattern; content:"environment.lang=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033301; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033302; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - simple_reclistjs.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/simple_reclistjs.cgi?"; fast_pattern; content:"date=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033303; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033304; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - testcmd.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/testcmd.cgi?"; fast_pattern; content:"command=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033305; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Outbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmpapp.cgi?"; fast_pattern; content:"appfile.filename=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033306; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - tmpapp.cgi RCE via Command Injection Attempt Inbound (CVE-2021-33544)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/tmpapp.cgi?"; fast_pattern; content:"appfile.filename=|24|"; distance:0; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33544; classtype:attempted-admin; sid:2033307; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33544, confidence High, signature_severity Major, updated_at 2021_07_09, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Auth Bypass Attempt Outbound (CVE-2021-33543)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uapi-cgi/"; fast_pattern; pcre:"/^.{1,50}\/uapi-cgi\//Ui"; content:".cgi"; endswith; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33543; classtype:attempted-admin; sid:2033308; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33543, confidence High, signature_severity Major, updated_at 2021_07_09;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Auth Bypass Attempt Inbound (CVE-2021-33543)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/uapi-cgi/"; fast_pattern; pcre:"/^.{1,50}\/uapi-cgi\//Ui"; content:".cgi"; endswith; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; reference:cve,2021-33543; classtype:attempted-admin; sid:2033309; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33543, confidence High, signature_severity Major, updated_at 2021_07_09;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Outbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033311; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33545, confidence Low, signature_severity Major, updated_at 2023_04_05;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UDP Technology Firmware (IP Cam) - Possible Stack Buffer Overflow Attempt Inbound (Multiple CVE IDs)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uapi-cgi/"; fast_pattern; content:".cgi"; endswith; http.request_body; content:"action="; pcre:"/^[^&]{150,}/R"; reference:cve,2021-33545; reference:cve,2021-33546; reference:cve,2021-33547; reference:cve,2021-33549; reference:url,www.randorisec.fr/udp-technology-ip-camera-vulnerabilities/; classtype:attempted-admin; sid:2033312; rev:1; metadata:created_at 2021_07_09, cve CVE_2021_33545, confidence Low, signature_severity Major, updated_at 2023_04_07;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE MSHTML Out-of-Bounds Write Inbound (CVE-2021-33742)"; flow:from_server,established; file.data; content:"innerHTML|20|=|20|Array|28|"; nocase; fast_pattern; byte_test:0,>=,33554431,0,string,dec,relative; content:"|29|.toString|28 29 3b|"; distance:0; within:50; reference:url,googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html; reference:cve,2021-33742; classtype:attempted-admin; sid:2033326; rev:1; metadata:created_at 2021_07_15, cve CVE_2021_33742, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_07_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA Authentication Bypass (management) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/management"; http.referer; content:!"/__api__/v1/logon"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033345; rev:2; metadata:created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_07_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (sslvpnclient) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/sslvpnclient"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033346; rev:2; metadata:created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_07_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SMA User-Level Authentication Bypass (portal) (CVE-2021-20016)"; flow:established,to_server; http.uri; content:"/cgi-bin/portal"; http.referer; content:!"/__api__/v1/logon"; content:!"/cgi-bin/userLogin"; tag:session,5,packets; reference:cve,2021-20016; reference:url,www.jpcert.or.jp/english/at/2021/at210006.html; classtype:web-application-attack; sid:2033347; rev:2; metadata:created_at 2021_07_16, cve CVE_2021_20016, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_04_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Potential Sonicwall SRA SQLi (CVE-2019-7481)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/supportInstaller"; endswith; http.request_body; content:"fromEmailInvite"; content:"customerTID"; tag:session,5,packets; reference:url,www.crowdstrike.com/blog/how-ecrime-groups-leverage-sonicwall-vulnerability-cve-2019-7481/; reference:cve,2019-7481; classtype:web-application-attack; sid:2033348; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_07_16, cve CVE_2019_7481, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_07_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=setting.htm"; content:"TF_submask=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033349; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_07_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dhcp.cgi?redirect=setting.htm"; content:"TF_hostname=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033350; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_07_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M3"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ppp.cgi?redirect=setting.htm"; content:"TF_servicename=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3e|"; distance:0; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033351; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_07_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS Vulnerability CVE-2021-31250 M4"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/man.cgi?redirect=setting.htm"; content:"TF_port=|2f 22 3e 3c|img|20|src|3d 22 23 22 3e|"; fast_pattern; reference:cve,2021-31250; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033352; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31250, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_07_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Stored XSS and Webpass IoT devices CVE-2021-31643"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=EmpRcd.htm"; content:"&username=|22 3e 3c|script|3e|alert|28|"; fast_pattern; content:"|29 3c 2f|script|3c|"; distance:0; reference:cve,2021-31643; reference:url,packetstormsecurity.com/files/162887/CHIYU-IoT-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2033353; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_07_16, cve CVE_2021_31643, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_07_16;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CHIYU IoT Devices - Denial of Service"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/if.cgi?redirect=AccLog.htm"; startswith; content:"&type=go_log_page&page=2781000"; endswith; fast_pattern; http.referer; content:"/AccLog.htm"; endswith; reference:cve,2021-31642; reference:url,www.exploit-db.com/exploits/49937; classtype:denial-of-service; sid:2033362; rev:2; metadata:affected_product IoT, attack_target Client_Endpoint, created_at 2021_07_19, cve CVE_2021_31642, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_07_19;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Information Disclosure Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?action=displayServerInfos"; http.header; content:"|20|YWRtaW46bmJ2XzEyMzQ1|0d|"; fast_pattern; reference:url,www.exploit-db.com/exploits/48019; classtype:attempted-admin; sid:2033410; rev:1; metadata:created_at 2021_07_24, confidence High, signature_severity Major, updated_at 2021_07_24, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager SQL Injection Inbound (CVE-2019-15984)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbInventoryWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:"sortType>|3b|"; content:"|3b|--"; distance:0; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15984; classtype:attempted-admin; sid:2033411; rev:1; metadata:created_at 2021_07_24, cve CVE_2019_15984, confidence High, signature_severity Major, updated_at 2021_07_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible rConfig 3.9.2 Remote Code Execution PoC M1 (CVE-2019-16662)"; flow:established,to_server; http.uri.raw; content:"/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=%3b"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/154999/rConfig-3.9.2-Remote-Code-Execution.html; reference:cve,2019-16662; classtype:attempted-admin; sid:2028933; rev:4; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2019_11_04, cve CVE_2019_16662, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Solr DataImport Handler RCE (CVE-2019-0193)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/solr/"; content:"dataimport"; distance:0; http.request_body; content:"command=full-import"; fast_pattern; pcre:"/\bexec\b/Ri"; reference:cve,2019-0193; reference:url,github.com/jas502n/CVE-2019-0193; classtype:attempted-admin; sid:2033114; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_08, cve CVE_2019_0193, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_07_26;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Log Retrieval (CVE-2019-1622)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fm/log/fmlogs.zip"; endswith; fast_pattern; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1622; classtype:attempted-recon; sid:2033444; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_1622, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Authenticated File Upload (CVE-2019-1620)"; flow:established,to_server; content:"Cookie|3a|"; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033445; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_1620, confidence Medium, signature_severity Major, updated_at 2021_07_27;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cisco Data Center Network Manager - Unauthenticated File Upload (CVE-2019-1620)"; flow:established,to_server; content:!"Cookie|3a|"; http.uri; content:"/fm/fileUpload"; endswith; fast_pattern; http.request_body; content:"application|2f|octet-stream"; content:"name=|22|fname|22|"; content:"name=|22|uploadDir|22|"; reference:url,www.exploit-db.com/exploits/47347; reference:cve,2019-1620; classtype:attempted-admin; sid:2033446; rev:1; metadata:created_at 2021_07_27, cve CVE_2019_1620, confidence Medium, signature_severity Major, updated_at 2021_07_27;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 8888 (msg:"ET EXPLOIT Possible CloudMe Sync Stack-based Buffer Overflow Inbound (CVE-2018-6892)"; flow:established,to_server; content:"|90 90 90 90 90 90 90 90|"; offset:500; depth:800; content:"|90 90 90 90 90 90|"; distance:0; within:64; reference:url,www.exploit-db.com/exploits/44175; reference:cve,2018-6892; classtype:attempted-admin; sid:2033448; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2018_6892, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp any any -> [$HOME_NET,$SMTP_SERVERS] [25,143,993,995] (msg:"ET EXPLOIT Possible Dovecot Memory Corruption Inbound (CVE-2019-11500)"; flow:to_server,established; content:"|22|"; content:"|00|"; distance:0; content:"|5c|"; distance:200; reference:url,nickroessler.com/dovecot-cve-2019-11500/; reference:cve,2019-11500; classtype:attempted-admin; sid:2033451; rev:1; metadata:attack_target Server, created_at 2021_07_27, cve CVE_2019_11500, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_07_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LibreOffice pydoc RCE Inbound (CVE-2018-16858)"; flow:from_server,established; file.data; content:"<office|3a|document"; depth:100; content:"<office|3a|"; distance:0; content:"<script|3a|"; content:"|2f|pydoc.py|24|tempfilepager"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/46727; reference:cve,2018-16858; classtype:attempted-admin; sid:2033456; rev:1; metadata:created_at 2021_07_27, cve CVE_2018_16858, confidence High, signature_severity Major, updated_at 2021_07_27;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi/networkDiag.cgi"; http.request_body; content:"command="; startswith; nocase; content:"&ipAddr="; nocase; content:"&dnsAddr=|24 28|"; nocase; fast_pattern; reference:cve,2021-36380; classtype:attempted-admin; sid:2033459; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_36380, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_07_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033464; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033465; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033466; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033467; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033468; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Clojure1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033469; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033470; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033471; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033472; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033473; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033474; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033475; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033476; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033477; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections6) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033478; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033479; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033480; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (CommonsCollections7) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033481; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033485; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033486; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033487; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033488; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033489; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JavassistWeld1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033490; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033491; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033492; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JBossInterceptors1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033493; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033494; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033495; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Jdk7u21) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033496; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033497; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033498; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (JRMPClient) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033499; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033500; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033501; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (MozillaRhino2) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033502; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033503; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033504; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Spring1/Spring2) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033505; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033506; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033507; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033508; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033509; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033510; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Clojure1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033511; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033512; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033513; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033514; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033515; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033516; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033517; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033518; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033519; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections6) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033520; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033521; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033522; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (CommonsCollections7) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033523; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033527; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033528; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033529; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033530; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033531; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JavassistWeld1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033532; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033533; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033534; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JBossInterceptors1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033535; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033536; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033537; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Jdk7u21) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033538; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033539; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033540; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (JRMPClient) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033541; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033542; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033543; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (MozillaRhino2) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033544; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033545; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033546; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Spring1/Spring2) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033547; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBQAHIAaQBvAHIAaQB0AHkAUQB1AGUAdQBlAPYADCUwACQ"; fast_pattern; classtype:attempted-admin; sid:2033548; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4AUAByAGkAbwByAGkAdAB5AFEAdQBlAHUAZQD2AAwlMAAkJ"; fast_pattern; classtype:attempted-admin; sid:2033549; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (BeanShell1/Click1/CommonsCollections1/CommonsCollections4) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAFAAcgBpAG8AcgBpAHQAeQBRAHUAZQB1AGUA9gAMJTAAJC"; fast_pattern; classtype:attempted-admin; sid:2033550; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAA"; fast_pattern; classtype:attempted-admin; sid:2033551; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033552; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Clojure1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAA"; fast_pattern; classtype:attempted-admin; sid:2033553; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADIAcwB1AG4ALgByAGUAZgBsAGUAYwB0AC4AYQBuAG4AbwB0AGEAdABpAG8AbgAuAEEAbgBuAG8"; fast_pattern; classtype:attempted-admin; sid:2033554; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAyAHMAdQBuAC4AcgBlAGYAbABlAGMAdAAuAGEAbgBuAG8AdABhAHQAaQBvAG4ALgBBAG4AbgBvA"; fast_pattern; classtype:attempted-admin; sid:2033555; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections1/CommonsCollections3) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAMgBzAHUAbgAuAHIAZQBmAGwAZQBjAHQALgBhAG4AbgBvAHQAYQB0AGkAbwBuAC4AQQBuAG4Abw"; fast_pattern; classtype:attempted-admin; sid:2033556; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAAC4AagBhAHYAYQB4AC4AbQBhAG4AYQBnAGUAbQBlAG4AdAAuAEIAYQBkAEEAdAB0AHIAaQBiAHUA"; fast_pattern; classtype:attempted-admin; sid:2033557; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAuAGoAYQB2AGEAeAAuAG0AYQBuAGEAZwBlAG0AZQBuAHQALgBCAGEAZABBAHQAdAByAGkAYgB1AH"; fast_pattern; classtype:attempted-admin; sid:2033558; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections5/MozillaRhino1/Vaadin) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAALgBqAGEAdgBhAHgALgBtAGEAbgBhAGcAZQBtAGUAbgB0AC4AQgBhAGQAQQB0AHQAcgBpAGIAdQB"; fast_pattern; classtype:attempted-admin; sid:2033559; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAFMAZQB0AFElRADgAPIA+wBVJVYlNAADAAA"; fast_pattern; classtype:attempted-admin; sid:2033560; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABTAGUAdABRJUQA4ADyAPsAVSVWJTQAAwAAA"; fast_pattern; classtype:attempted-admin; sid:2033561; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections6) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAUwBlAHQAUSVEAOAA8gD7AFUlViU0AAMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033562; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033563; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033564; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (CommonsCollections7) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033565; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABEAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAE0AYQBwAAUABwAMJTQlHCUWAGAAZCUDAAAA"; fast_pattern; classtype:attempted-admin; sid:2033569; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAARAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaABNAGEAcAAFAAcADCU0JRwlFgBgAGQlAwAAAA"; fast_pattern; classtype:attempted-admin; sid:2033570; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Hibernate1/Hibernate2/JSON1/Myfaces1/ROME/URLDNS) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEQBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgATQBhAHAABQAHAAwlNCUcJRYAYABkJQMAAAA"; fast_pattern; classtype:attempted-admin; sid:2033571; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADkAbwByAGcALgBqAGIAbwBzAHMALgB3AGUAbABkAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4A"; fast_pattern; classtype:attempted-admin; sid:2033572; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAA5AG8AcgBnAC4AagBiAG8AcwBzAC4AdwBlAGwAZAAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAH"; fast_pattern; classtype:attempted-admin; sid:2033573; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JavassistWeld1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAOQBvAHIAZwAuAGoAYgBvAHMAcwAuAHcAZQBsAGQALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgB"; fast_pattern; classtype:attempted-admin; sid:2033574; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAADQAbwByAGcALgBqAGIAbwBzAHMALgBpAG4AdABlAHIAYwBlAHAAdABvAHIALgBwAHIAbwB4AHkA"; fast_pattern; classtype:attempted-admin; sid:2033575; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAA0AG8AcgBnAC4AagBiAG8AcwBzAC4AaQBuAHQAZQByAGMAZQBwAHQAbwByAC4AcAByAG8AeAB5AC"; fast_pattern; classtype:attempted-admin; sid:2033576; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JBossInterceptors1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAANABvAHIAZwAuAGoAYgBvAHMAcwAuAGkAbgB0AGUAcgBjAGUAcAB0AG8AcgAuAHAAcgBvAHgAeQA"; fast_pattern; classtype:attempted-admin; sid:2033577; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABcAagBhAHYAYQAuAHUAdABpAGwALgBMAGkAbgBrAGUAZABIAGEAcwBoAFMAZQB0AGolbABrJVoA"; fast_pattern; classtype:attempted-admin; sid:2033578; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAXAGoAYQB2AGEALgB1AHQAaQBsAC4ATABpAG4AawBlAGQASABhAHMAaABTAGUAdABqJWwAayVaAP"; fast_pattern; classtype:attempted-admin; sid:2033579; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Jdk7u21) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAFwBqAGEAdgBhAC4AdQB0AGkAbAAuAEwAaQBuAGsAZQBkAEgAYQBzAGgAUwBlAHQAaiVsAGslWgD"; fast_pattern; classtype:attempted-admin; sid:2033580; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAfQAAAAAAAAABAAA"; fast_pattern; classtype:attempted-admin; sid:2033581; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAH0AAAAAAAAAAQAAA"; fast_pattern; classtype:attempted-admin; sid:2033582; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (JRMPClient) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwB9AAAAAAAAAAEAAA"; fast_pattern; classtype:attempted-admin; sid:2033583; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAACcAbwByAGcALgBtAG8AegBpAGwAbABhAC4AagBhAHYAYQBzAGMAcgBpAHAAdAAuAE4AYQB0AGkA"; fast_pattern; classtype:attempted-admin; sid:2033584; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAAnAG8AcgBnAC4AbQBvAHoAaQBsAGwAYQAuAGoAYQB2AGEAcwBjAHIAaQBwAHQALgBOAGEAdABpAH"; fast_pattern; classtype:attempted-admin; sid:2033585; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (MozillaRhino2) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAJwBvAHIAZwAuAG0AbwB6AGkAbABsAGEALgBqAGEAdgBhAHMAYwByAGkAcAB0AC4ATgBhAHQAaQB"; fast_pattern; classtype:attempted-admin; sid:2033586; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAAEkAbwByAGcALgBzAHAAcgBpAG4AZwBmAHIAYQBtAGUAdwBvAHIAawAuAGMAbwByAGUALgBTAGUA"; fast_pattern; classtype:attempted-admin; sid:2033587; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAABJAG8AcgBnAC4AcwBwAHIAaQBuAGcAZgByAGEAbQBlAHcAbwByAGsALgBjAG8AcgBlAC4AUwBlAH"; fast_pattern; classtype:attempted-admin; sid:2033588; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Spring1/Spring2) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAASQBvAHIAZwAuAHMAcAByAGkAbgBnAGYAcgBhAG0AZQB3AG8AcgBrAC4AYwBvAHIAZQAuAFMAZQB"; fast_pattern; classtype:attempted-admin; sid:2033589; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Monitorr 1.7.6m RCE Exploit Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/assets/php/upload.php"; nocase; http.request_body; content:"name=|22|fileToUpload|22|"; nocase; content:"<?"; reference:url,github.com/Monitorr/Monitorr; reference:url,www.exploit-db.com/exploits/48980; classtype:attempted-admin; sid:2033599; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jenkins Plugin Script RCE Exploit Attempt (CVE-2019-1003001)"; flow:established,to_server; http.uri; content:"CpsFlowDefinition"; nocase; content:"checkScriptCompile"; nocase; content:"GrabResolver"; nocase; content:"GrabConfig"; nocase; content:"Grab("; nocase; reference:url,0xdf.gitlab.io/2019/02/27/playing-with-jenkins-rce-vulnerability.html; reference:url,www.exploit-db.com/exploits/46427; reference:cve,2019-1003001; classtype:attempted-admin; sid:2033600; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2019_1003001, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Ambari Default Credentials Attempt"; flow:established,to_server; http.uri; content:"/api/v1/users/admin?fields="; nocase; content:"privilege"; nocase; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW4"; nocase; reference:url,docs.cloudera.com/HDPDocuments/Ambari-2.7.4.0/bk_ambari-installation/content/log_in_to_apache_ambari.html; classtype:attempted-admin; sid:2033601; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jitsi Meet Plugin XSS Attempt (CVE-2021-26812)"; flow:established,to_server; http.uri; content:"/mod/jitsi/sessionpriv.php?avatar="; nocase; content:"&nom="; nocase; reference:cve,2021-26812; reference:url,vuldb.com/?id.173035; classtype:attempted-user; sid:2033602; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2021_26812, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT GraphQL Introspection Query Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"|7b 22 71 75 65 72 79 22 3a 22 71 75 65 72 79 20|"; nocase; startswith; content:"__schema"; nocase; distance:0; content:"queryType"; nocase; distance:0; reference:url,blog.yeswehack.com/yeswerhackers/how-exploit-graphql-endpoint-bug-bounty/; classtype:attempted-admin; sid:2033603; rev:1; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JCK Editor 6.4.4 SQLi Attempt (CVE-2018-17254)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php"; nocase; content:"extension=menu"; distance:0; content:"view=menu"; nocase; content:"parent="; nocase; pcre:"/parent=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ui"; reference:url,www.exploit-db.com/exploits/49627; reference:cve,2018-17254; classtype:attempted-admin; sid:2033604; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_28, cve CVE_2018_17254, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TIBCO Data Virtualization <= 8.3 RCE Attempt (CVE-2016-2510)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/monitor/messagebroker/amf"; nocase; http.request_body; content:"|00 03 00 00 00 01 00 00 00 00 00 00 00 01 11 0A 07 47 6F 72 67 2E 61 70 61 63 68 65 2E 61 78 69 73 32 2E 75 74 69 6C 2E 4D 65 74 61 44 61 74 61 45 6E 74 72 79 7C 99 8B D2 C6 4F B4 E3 00 00 00 02 01 00 00 00|"; fast_pattern; reference:url,github.com/pedrib/PoC/blob/master/exploits/tdvPwn.rb; reference:url,twitter.com/pedrib1337/status/1415862996786548736; reference:cve,2016-2510; classtype:attempted-admin; sid:2033605; rev:1; metadata:attack_target Server, created_at 2021_07_28, cve CVE_2016_2510, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_07_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Smart Google Code Inserter < 3.5 Auth Bypass (CVE-2018-3810)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/options-general.php?page=smartcode"; nocase; endswith; fast_pattern; http.request_body; content:"sgcgoogleanalytic="; nocase; startswith; content:"<script"; nocase; distance:0; content:"savegooglecode"; nocase; reference:url,www.exploit-db.com/exploits/43420; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2018-3810; classtype:attempted-admin; sid:2033637; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2018_3810, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2021_08_02;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Smart Google Code Inserter < 3.5 SQLi (CVE-2018-3811)"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/options-general.php?page=smartcode"; nocase; endswith; fast_pattern; http.request_body; content:"action=saveadwords"; nocase; startswith; content:"oId="; nocase; distance:0; pcre:"/oId=[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/i"; reference:url,www.exploit-db.com/exploits/43420; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2018-3811; classtype:attempted-admin; sid:2033638; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2018_3811, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2021_08_02;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT rConfig < 3.9.7 SQLi (CVE-2020-10546)"; flow:established,to_server; http.uri; content:"/compliancepolicies.inc.php"; nocase; fast_pattern; content:"searchOption=contains"; content:"searchField=antani"; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,github.com/theguly/exploits/blob/master/CVE-2020-10546.py; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-10546; classtype:attempted-admin; sid:2033639; rev:2; metadata:attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_10546, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2021_08_02;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT phpMyAdmin setup.php Local File Include"; flow:established,to_server; http.uri; content:"/scripts/setup.php"; nocase; fast_pattern; http.request_body; content:"action="; nocase; startswith; content:"configuration="; nocase; content:"PMA_Config"; nocase; content:"source"; nocase; reference:url,www.programmersought.com/article/87603212281/; reference:url,github.com/projectdiscovery/nuclei; classtype:attempted-admin; sid:2033640; rev:1; metadata:attack_target Server, created_at 2021_08_02, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, updated_at 2021_08_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Cocoon <= 2.1.x LFI (CVE-2020-11991)"; flow:established,to_server; http.uri; content:"/v2/api/product/manger/getInfo"; nocase; http.request_body; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; content:"file|3a|//"; nocase; distance:0; reference:url,www.cnblogs.com/0day-li/p/13663350.html; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-11991; classtype:attempted-admin; sid:2033641; rev:1; metadata:created_at 2021_08_02, cve CVE_2020_11991, confidence High, signature_severity Major, updated_at 2021_08_02;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Paypal Pro < 1.1.65 SQLi (CVE-2020-14092)"; flow:established,to_server; http.uri; content:"/?cffaction=get_data_from_database"; nocase; fast_pattern; content:"query="; pcre:"/^[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,wpscan.com/vulnerability/10287; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-14092; classtype:attempted-admin; sid:2033642; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_14092, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2021_08_02;)

alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Small Malformed Translogic Packet (Multiple CVEs)"; dsize:<21; content:"TLPU"; startswith; fast_pattern; content:"|00 00 00 01|"; distance:4; within:4; reference:url,www.armis.com/pwnedPiper; reference:cve,2021-37162; reference:cve,2021-37165; reference:cve,2021-37161; classtype:attempted-admin; sid:2033661; rev:1; metadata:attack_target Server, created_at 2021_08_03, cve CVE_2021_37162, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M2 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover?"; nocase; content:"/mapi/nspi"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; flowbits:set,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033682; rev:2; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Vulnerable Microsoft Exchange Server Response (CVE-2021-31207)"; flow:established,from_server; http.stat_code; content:"302"; flowbits:isset,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033683; rev:1; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:"ET EXPLOIT Possible Microsoft Exchange RCE with Python PSRP Client UA Inbound (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover/autodiscover.json?"; http.user_agent; content:"Python|20|PSRP|20|Client"; fast_pattern; reference:cve,2021-34473; classtype:attempted-admin; sid:2033712; rev:1; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_08_12, cve CVE_2021_34473, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M1 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<s"; content:"SerializedSecurityContext>"; distance:0; content:"Message>"; distance:0; content:"Attachments>"; distance:0; content:"Content>"; distance:0; content:"|60 c2 ac c2 aa|"; distance:0; within:200; reference:cve,2021-34473; classtype:attempted-admin; sid:2033684; rev:3; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M1 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|60|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:attempted-admin; sid:2033738; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiWeb OS Command Injection Inbound M2 (CVE-2021-22123)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/remoteserver.saml"; fast_pattern; http.request_body; content:"form-data|3b 20|name=|22|name|22|"; nocase; content:"|24|"; distance:0; content:"--------"; distance:0; reference:cve,2021-22123; classtype:bad-unknown; sid:2033742; rev:1; metadata:attack_target Server, created_at 2021_08_18, cve CVE_2021_22123, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 3 Inbound - Execute Mal Config Trigger (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/auth/setcookie.cgi"; fast_pattern; xbits:isset,ET.2020_8260.2,track ip_src,expire 10; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033752; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Pulse Secure VPN RCE Chain Stage 3 Inbound - Execute Mal Config Trigger, PoC Based (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/auth/setcookie.cgi"; fast_pattern; http.header; pcre:"/^[A-Z]{8}\x3a/m"; xbits:isset,ET.2020_8260.2,track ip_src,expire 10; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033753; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange ProxyLogon Activity - OABVirtualDirectory SetObject (CVE-2021-27065)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ecp/"; content:"/SetObject?"; content:"schema=OABVirtualDirectory"; fast_pattern; http.header; content:"msExchLogonMailbox|3a|"; http.request_body; content:"__type"; content:"Microsoft.Exchange.Management.ControlPanel"; distance:0; content:"ExternalUrl"; distance:0; reference:url,github.com/praetorian-inc/proxylogon-exploit/blob/main/exploit.py; reference:cve,2021-27065; classtype:attempted-admin; sid:2033754; rev:1; metadata:attack_target Server, created_at 2021_08_20, cve CVE_2021_27065, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT vCenter Server RCE Chain Initial Stage Inbound (CVE-2021-21985)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/h5-vsan/"; content:"/&vsanProviderUtils_setVmodlHelper/setTargetObject"; endswith; fast_pattern; http.request_body; content:"|22|methodInput|22|"; content:"|5b|null|5d|"; distance:0; pcre:"/^\x7b/s*\x22methodInput\x22\s*\x3a\s*\x5bnull\x5d/"; xbits:set,ET.2021_21985,track ip_src,expire 60; reference:url,www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/; reference:cve,2021-21985; classtype:attempted-admin; sid:2033755; rev:1; metadata:created_at 2021_08_20, cve CVE_2021_21985, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_08_20;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT vCenter Server RCE Chain Final Stage Inbound (CVE-2021-21985)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ui/h5-vsan/"; content:"/&vsanProviderUtils_setVmodlHelper/invoke"; endswith; fast_pattern; http.request_body; content:"|22|methodInput|22|"; content:"|5b 5d|"; distance:0; pcre:"/^\x7b/s*\x22methodInput\x22\s*\x3a\s*\x5b\x5d/"; xbits:isset,ET.2021_21985,track ip_src,expire 60; reference:url,www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/; reference:cve,2021-21985; classtype:attempted-admin; sid:2033756; rev:1; metadata:attack_target Server, created_at 2021_08_20, cve CVE_2021_21985, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT eMerge E3 Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/card_scan"; startswith; fast_pattern; content:".php"; distance:0; within:15; content:"=|60|"; reference:cve,2019-7256; classtype:attempted-admin; sid:2033757; rev:1; metadata:created_at 2021_08_22, cve CVE_2019_7256, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_08_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Genexis PLATINUM 4410 Command Injection Inbound (CVE-2021-29003)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sys_config_valid.xgi?exeshell="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2021-29003; classtype:attempted-admin; sid:2033758; rev:1; metadata:attack_target Server, created_at 2021_08_22, cve CVE_2021_29003, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Unknown Target Application Command Injection Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/nrdh.php?cmd"; fast_pattern; content:"="; distance:0; within:3; pcre:"/^.{0,5}(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2033759; rev:1; metadata:attack_target Server, created_at 2021_08_22, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Use-After-Free in QuickTimePluginReplacement (CVE-2021-1879)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"var"; pcre:"/^\s*(?P<worker>[A-Za-z0-9_-]{1,20})\s*=\s*null\x3b.{1,300}(?P=worker)\s*=\s*document\.getElementById\([\x22\x27](?P=worker)[\x22\x27]\)\x3b.{1,300}\.addEventListener\([\x22\x27]DOMNodeInserted[\x22\x27]\s*,\s*(?P<callback0>[A-Za-z0-9_-]{1,20}).{0,300}(?P=worker)(?P<worker_ext>(\.\w{1,20})+)\s*=\s*\d+\x3b.{1,300}function\s*(?P=callback0)\([^\)]+\)\s*\{\s*.{1,300}\.requestAnimationFrame\((?P<callback>[A-Za-z0-9_-]{1,20})\)\x3b.{1,300}function\s*(?P<garbagecollector>[A-Za-z0-9_-]{1,20})\(\)\s*\{\s*.{0,100}for\s*\(let\s*(?P<gc_counter>[A-Za-z0-9_-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=gc_counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=gc_counter)(?:\+{2}|-{2})\s*\)\s*.{1,300}function\s*(?P=callback)\([^\)]+\)\s*\{\s*.{1,300}(?P=garbagecollector)\(\)\s*\x3b\s*.{1,300}\((?P=worker)(?P=worker_ext)\)/Rs"; content:"document.getElementById|28|"; content:".addEventListener|28 22|DOMNodeInserted"; content:"window.requestAnimationFrame"; fast_pattern; reference:cve,2021-1879; classtype:attempted-admin; sid:2033781; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_24, cve CVE_2021_1879, deployment Perimeter, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InjectJsBuiltInLibraryCode Use-After-Free Inbound (CVE-2019-0568)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<opt>[A-Za-z0-9_-]{1,20})\(\)\s*\{\s*let\s*(?P<o_var>[A-Za-z0-9_-]{1,20})\s*=\s*\{\}\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=o_var)\.(?P<x_prop>[A-Za-z0-9_-]{1,20}).{1,300}for\s*\(\s*let\s*(?P<counter>[A-Za-z0-9_-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=counter)(?:\+{2}|-{2})\).{1,100}(?P=opt)\(\).{1,300}let\s*(?P<leaked_stack_obj>[A-Za-z0-9_-]{1,20})\s*=\s*null.{1,100}let\s*(?P<obj_proto>[A-Za-z0-9_-]{1,20})\s*=\s*\(\{\}\)\.__proto__\x3b.{1,300}(?P=obj_proto)\.__defineGetter__\([\x22\x27](?P=x_prop)[\x22\x27],\s*Error\.prototype\.toString\)\x3b\s*(?:\/\/[\w\s_-]+)?(?:\/\/\s*[^\r\n]+\r\n)?(?P=obj_proto)\.__defineGetter__\([\x22\x27](?P<message_proto>[A-Za-z0-9_-]{1,20})[\x22\x27].{1,300}delete\s*(?P=obj_proto)\.(?P=message_proto)\x3b.{1,300}(?P=obj_proto)\.\w+\s*=\s*Array\.prototype.{1,300}(?P=opt)/Rs"; content:"|28 7b 7d 29|.__proto__"; fast_pattern; content:"Error.prototype.toString"; reference:cve,2019-0568; classtype:attempted-admin; sid:2033775; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_24, cve CVE_2019_0568, deployment Perimeter, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_24;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M1 (CVE-2018-8617)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<func_opt>[\w-]{1,20})\((?P<var_a>[\w-]{1,20})\s*,\s*(?P<var_b>[\w-]{1,20}).{1,300}(?:(?P=var_a)\.(?P=var_b)|(?P=var_b)\.(?P=var_a))\s*=\s*\d+\x3b\s*(?:(?P=var_a)|(?P=var_b))\.push\(\d+\)\x3b\s*(?:(?P=var_a)\.(?P=var_a)|(?P=var_b)\.(?P=var_b))\s*=\s*0x.{1,300}Object\.prototype\.push\s*=\s*Array\.prototype\.push\x3b\s*for\s*\(\s*let\s*(?P<counter>[\w-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=counter)(?:\+{2}|-{2})\).{1,300}let\s*(?:(?P=var_a)|(?P=var_b))\s*=\s*\{(?:(?P=var_a):\s*\d+\s*,\s*(?P=var_b):\s*\d+|(?:(?P=var_b):\s*\d+\s*,\s*(?P=var_a):\s*\d+))\}\x3b.{1,300}(?P=func_opt)\((?:(?P=var_a)|(?P=var_b)),\s*\{\}.{1,300}let\s*(?P<var_o>[\w-]{1,20})\s*=\s*\{(?:(?P=var_a):\s*\d+\s*,\s*(?P=var_b):\s*\d+|(?:(?P=var_b):\s*\d+\s*,\s*(?P=var_a):\s*\d+))\}.{1,300}(?P=func_opt)\((?P=var_o)/Rs"; content:"Object.prototype.push = Array.prototype.push"; fast_pattern; content:".push|28|"; reference:cve,2018-8617; classtype:attempted-admin; sid:2033782; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_08_25, cve CVE_2018_8617, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - NewScObjectNoCtor InitProtoType Confusion Inbound (CVE-2019-0567)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"function"; pcre:"/^\s*(?P<func_a>[\w-]{1,20})\((?P<obj1>[\w-]{1,20})\s*,\s*(?P<tmp_obj>[\w-]{1,20})\s*,\s*(?P<value>[\w-]{1,20})\).{1,300}(?P=obj1)\.\w+\s*=\s*\d+\.\d+\x3b\s*var\s*\w+\s*=\s*\{__proto__:\s*(?P=tmp_obj)\}\x3b\s*(?P=obj1)\.\w+\s*=\s*(?P=value)\x3b.{1,300}var\s*(?P=obj1)\s*=\s*\{\w+:\s*\d+\.\d+\s*,\s*\w+:\s*\d+\.\d+\}\x3b\s*for\s*\(\s*var\s*(?P<counter>[\w-]{1,20})\s*=\s*\d{1,8}\s*\x3b\s*(?P=counter)\s*(?:<|>)\s*(?:0x)?\d{2,}\s*\x3b\s*(?P=counter)(?:\+{2}|-{2})\)\s*\{\s*(?P=func_a)\((?P=obj1)\s*,\s*(\x22{2}|\x27{2})\s*,\s*(\x22{2}|\x27{2})\)\x3b.{1,300}(?P=func_a)\((?P=obj1)\s*,\s*(?P=obj1)\s*,\s*\d+\.\d{8,}.{1,300}eval\((?P=obj1)\./Rs"; content:" = |7b|__proto__|3a|"; fast_pattern; content:"eval|28|"; reference:cve,2019-0567; classtype:attempted-admin; sid:2033783; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_08_25, cve CVE_2019_0567, deployment Perimeter, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_25;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Prestashop Orderfiles Module Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; startswith; nocase; content:"module=orderfiles"; nocase; content:"controller=filesmanager"; nocase; fast_pattern; http.request_body; content:"addfile"; nocase; content:"file|5b|"; nocase; classtype:attempted-admin; sid:2033826; rev:1; metadata:attack_target Server, created_at 2021_08_27, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Prestashop Supercheckout Module Arbitrary File Upload"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/index.php"; startswith; nocase; content:"module=supercheckout"; nocase; content:"controller=supercheckout"; nocase; content:"method=SaveFilesCustomField"; nocase; fast_pattern; http.request_body; content:"custom_fields|5b|"; nocase; classtype:attempted-admin; sid:2033827; rev:1; metadata:attack_target Server, created_at 2021_08_27, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange - Information Disclosure flowbit set (CVE-2021-33766)"; flow:established,to_server; http.uri; content:"/ecp/"; nocase; fast_pattern; http.cookie; content:"SecurityToken="; flowbits:set,ET.proxytoken; reference:cve,2021-33766; classtype:attempted-admin; sid:2033834; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_33766, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange - InboxRules.svc Access Observed Following Successful ProxyToken Attack"; flow:established,to_server; http.uri; content:"/ecp/"; nocase; content:"RulesEditor/InboxRules.svc/"; fast_pattern; content:"?msExchEcpCanary="; xbits:isset,ET.proxytoken.500,track ip_src,expire 30; classtype:attempted-admin; sid:2033836; rev:1; metadata:attack_target Server, created_at 2021_08_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formRebootCheck/formWsc Stack Buffer Overflow Inbound (CVE-2021-35392)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/"; pcre:"/^form(RebootCheck|Wsc)$/R"; http.request_body; content:"submit-url="; fast_pattern; isdataat:2000,relative; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35392; classtype:attempted-user; sid:2033837; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35392, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2023_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formStaticDHCP Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formStaticDHCP"; endswith; fast_pattern; http.request_body; content:"hostname="; pcre:"/^[^&]{42,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033841; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formWlanMultipleAP Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWlanMultipleAP"; endswith; fast_pattern; http.request_body; content:"submit-url="; pcre:"/^[^&]{512,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033842; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - Stack Buffer Overflow via UPnP SUBSCRIBE Callback Header Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.uri; content:"/upnp/"; http.header; content:"Callback|3a 20 3c|http"; fast_pattern; pcre:"/^Callback\x3a\x20\x3chttp[^\x3a]+\x3a\d{1,5}[^\/]/Hmi"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033843; rev:1; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033845; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_08_30;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%22%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033846; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_08_30;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=%27%3E%3Cscript%3E"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033847; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_08_30;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router Cross-site Scripting CVE-2021-34228 (boafrm) M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/"; fast_pattern; http.request_body; content:"=|22 3e 3c|script|3e|"; reference:url,github.com/pup2y/IoTVul/tree/main/TOTOLINK/A3002R; reference:cve,2021-34228; classtype:web-application-attack; sid:2033848; rev:1; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2021_08_30, cve CVE_2021_34228, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_08_30;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Microsoft Exchange - Successful msExchEcpCanary Disclosure (CVE-2021-33766)"; flow:established,from_server; http.stat_code; content:"500"; http.cookie; content:"msExchEcpCanary="; fast_pattern; flowbits:isset,ET.proxytoken; flowbits:unset,ET.proxytoken; xbits:set,ET.proxytoken.500,track ip_src,expire 30; reference:cve,2021-33766; classtype:attempted-admin; sid:2033835; rev:2; metadata:created_at 2021_08_30, cve CVE_2021_33766, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_08_30;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Realtek SDK - formWlSiteSurvey Stack Buffer Overflow Inbound (CVE-2021-35393)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWlSiteSurvey"; fast_pattern; endswith; http.request_body; content:"ifname="; pcre:"/^[^&]{90,}/"; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35393; classtype:attempted-user; sid:2033838; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35393, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35395)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/formSysCmd"; fast_pattern; endswith; http.request_body; content:"sysCmd="; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35395; classtype:attempted-user; sid:2033839; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35395, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek SDK - Command Injection Inbound (CVE-2021-35395)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/formWsc"; fast_pattern; endswith; http.request_body; content:"peerPin="; content:"|3b|"; distance:0; within:50; reference:url,www.iot-inspector.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/; reference:cve,2021-35395; classtype:attempted-user; sid:2033840; rev:2; metadata:attack_target Server, created_at 2021_08_30, cve CVE_2021_35395, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_08_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WebSVN 2.6.0 OS Command Injection Inbound (CVE-2021-32305)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|"; fast_pattern; reference:cve,2021-32305; classtype:attempted-admin; sid:2033849; rev:1; metadata:attack_target Server, created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M1"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"r|00|u|00|n|00|C|00|o|00|m|00|m|00|a|00|n|00|d"; fast_pattern; classtype:attempted-admin; sid:2033850; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M1"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"runCommand"; fast_pattern; classtype:attempted-admin; sid:2033851; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M2"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"g|00|e|00|t|00|R|00|u|00|n|00|t|00|i|00|m|00|e"; fast_pattern; classtype:attempted-admin; sid:2033852; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M2"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:"getRuntime"; fast_pattern; classtype:attempted-admin; sid:2033853; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt (Wide) M3"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:".|00|e|00|x|00|e|00|c|00 28|"; fast_pattern; classtype:attempted-admin; sid:2033854; rev:1; metadata:attack_target Server, created_at 2021_08_31, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible JNBridge Java Deserialization Attempt M3"; flow:established,to_server; content:"JNB"; startswith; pcre:"/^\d[012345]/R"; content:".exec|28|"; fast_pattern; classtype:attempted-admin; sid:2033855; rev:1; metadata:created_at 2021_08_31, confidence Medium, signature_severity Major, updated_at 2021_08_31;)

alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 22 (msg:"ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M1 (CVE-2021-35211)"; flow:established,to_server; dsize:>150; content:"SSH-2.0-|0d 0a|"; fast_pattern; threshold:type threshold, track by_dst, count 10, seconds 30; reference:url,microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/; reference:cve,2021-35211; classtype:attempted-admin; sid:2033893; rev:1; metadata:attack_target Server, created_at 2021_09_02, cve CVE_2021_35211, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_09_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp-pkt any any -> [$HOME_NET,$HTTP_SERVERS] 22 (msg:"ET EXPLOIT Possible SolarWinds Serv-U SSH RCE Inbound M2 (CVE-2021-35211)"; flow:established,to_server; dsize:>150; content:"SSH-2.0-|0d 0a|"; fast_pattern; content:"|ec 19 0e 80 01|"; distance:0; reference:url,microsoft.com/security/blog/2021/09/02/a-deep-dive-into-the-solarwinds-serv-u-ssh-vulnerability/; reference:cve,2021-35211; classtype:attempted-admin; sid:2033894; rev:1; metadata:attack_target Server, created_at 2021_09_02, cve CVE_2021_35211, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_09_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload"; http.request_body; content:"name=|22|"; content:"filename=|22|../../"; fast_pattern; reference:cve,2021-1499; classtype:attempted-admin; sid:2033907; rev:1; metadata:attack_target Server, created_at 2021_09_07, cve CVE_2021_1499, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_09_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (SWNetPerfMon.db) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/SWNetPerfMon.db.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031460; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, cve CVE_2020_10148, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_09_09;)

alert http any any -> any any (msg:"ET EXPLOIT Possible SolarWinds Orion API Local File Disclosure (web.config) (CVE-2020-10148)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/web.config.i18n.ashx?"; nocase; fast_pattern; reference:url,gist.github.com/0xsha/75616ef6f24067c4fb5b320c5dfa4965; reference:url,kb.cert.org/vuls/id/843464; reference:cve,2020-10148; classtype:web-application-attack; sid:2031459; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_12_29, cve CVE_2020_10148, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_09_09;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ImageMagick Malformed SVG Upload Leading to RCE"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|svg|20|"; content:"|28|%pipe%/"; fast_pattern; content:"/|3b|"; distance:0; within:100; classtype:attempted-admin; sid:2033933; rev:1; metadata:attack_target Server, created_at 2021_09_13, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_09_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M1 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"domains=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033934; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_09_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PiHole Web Interface Regex Escape Leading to RCE Inbound M2 (CVE-2021-32706)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/"; http.request_body; content:"clients=*"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24|\x3e)/R"; reference:url,www.cvedetails.com/cve/CVE-2021-32706/; reference:cve,2021-32706; classtype:attempted-admin; sid:2033935; rev:1; metadata:attack_target Server, created_at 2021_09_13, cve CVE_2021_32706, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_09_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; content:!"|0d 0a|Authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteScript"; fast_pattern; nocase; content:"|3c|p|3a|Script|3e|"; nocase; reference:url,attackerkb.com/topics/08O94gYdF1/cve-2021-38647; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647; classtype:attempted-admin; sid:2033952; rev:2; metadata:affected_product HTTP_Server, attack_target Server, created_at 2021_09_15, cve CVE_2021_38647, deployment Perimeter, deployment Internet, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_09_15;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft OMI RCE Exploit Attempt (CVE-2021-38647) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wsman"; http.header_names; content:!"|0d 0a|Authorization|0d 0a|"; http.content_type; content:"application/soap+xml"; http.request_body; content:"|3c|p|3a|ExecuteShellCommand"; fast_pattern; nocase; content:"|3c|p|3a|command|3e|"; nocase; reference:url,github.com/horizon3ai/CVE-2021-38647/blob/main/omigod.py; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647; reference:url,www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution; reference:cve,2021-38647; classtype:attempted-admin; sid:2033968; rev:2; metadata:affected_product HTTP_Server, attack_target Server, created_at 2021_09_16, cve CVE_2021_38647, deployment Perimeter, deployment Internet, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_09_16;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno CVE-2021-41314 (new line injection)"; http.method; content:"POST"; http.uri; content:"/cgi/set.cgi?cmd=home_loginAuth"; fast_pattern; http.request_body; content:"_ds="; content:"pwd="; distance:0; pcre:"/^[^&\x0d\r]+[\n\x0a]/R"; reference:url,gynvael.coldwind.pl/?id=742; reference:cve,2021-41314; classtype:attempted-dos; sid:2033969; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_09_16, cve CVE_2021_41314, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_09_16;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JBOSS Deserialization Attempt Inbound (CVE-2017-7504)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/jbossmq-httpil/HTTPServerILServlet"; fast_pattern; http.request_body; content:"|AC ED 00|"; reference:url,www.programmersought.com/article/1033574325/; reference:cve,2017-7504; classtype:attempted-admin; sid:2033985; rev:1; metadata:attack_target Server, created_at 2021_09_17, cve CVE_2017_7504, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Yealink RCE Attempt (CVE-2021-27561)"; flow:established,to_server; http.uri; content:"/premise/front/getPingData?url=http|3a 2f 2f|0.0.0.0|3a|9600/sm/api/v1/firewall/zone/services?zone="; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/; reference:url,ssd-disclosure.com/ssd-advisory-yealink-dm-pre-auth-root-level-rce/; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27561; reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27562; reference:cve,2021-27561; classtype:attempted-admin; sid:2032095; rev:3; metadata:attack_target IoT, created_at 2021_03_17, cve CVE_2021_27561, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_09_20;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WP Download From Files Plugin <= 1.48 Arbitrary File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; nocase; bsize:4; http.uri; content:"/wp-admin/admin-ajax.php"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|files[]|22 3b 20|filename=|22|"; content:"<?"; content:"download_from_files_617_fileupload"; fast_pattern; reference:url,cxsecurity.com/issue/WLB-2021090097; classtype:attempted-admin; sid:2033989; rev:1; metadata:created_at 2021_09_20, confidence High, signature_severity Major, updated_at 2023_04_06, reviewed_at 2023_12_11;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA XSS Attempt (CVE-2020-3580)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/+CSCOE+/saml/sp/acs?tgname="; fast_pattern; http.request_body; content:"=|22|><"; reference:url,twitter.com/ptswarm/status/1408050644460650502; reference:cve,2020-3580; classtype:web-application-attack; sid:2033994; rev:2; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2021_09_21, cve CVE_2020_3580, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_09_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Edge Chakra - InlineArrayPush Type Confusion Inbound M2 (CVE-2018-8617)"; flow:established,from_server; file_data; content:"function"; pcre:"/^\s*(?P<func_a>[\w\-]{1,20})\((?P<obj_1>[\w\-]{1,20})\s*,\s*(?P<obj_2>[\w\-]{1,20}).{1,300}(?P=obj_1)\.(?P<prop_2>[\w\-]{1,20})\s*=\s*\d+(?:\.\d+)?.{1,300}?(?P=obj_2)\.pop\(\).{1,300}?(?P=obj_1)\.(?P<prop_1>[\w\-]{1,20})\s*=\s*\d+(?:\.\d+)?.{1,500}Object\.prototype\.p(op|ush)\s*=\s*Array\.prototype\.p(op|ush)\x3b.{1,500}var\s*(?P<obj_3>[\w\-]{1,20})\s*=\s*\{\s*(?P=prop_1)\s*\x3a\s*\d+(?:\.\d+)?\s*,\s*(?:(?P=prop_2)\s*\x3a\s*\d+(?:\.\d+)?|(?P=prop_2)\s*\x3a\s*\d+(?:\.\d+)?\s*,\s*(?P=prop_1)\s*\x3a\s*\d+(?:\.\d+)).{1,500}(?P=func_a)\(\s*(?:(?P=obj_3)\s*,\s*new\s*Object\(\)|\s*new\s*Object\(\)\s*,\s*(?P=obj_3)\s*).{1,500}?(?P=func_a)\((?P=obj_3)/Rsi"; content:"Object.prototype.p"; content:"|20|=|20|Array.prototype.p"; fast_pattern; reference:cve,2018-8617; classtype:attempted-admin; sid:2034004; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_09_21, cve CVE_2018_8617, deployment Perimeter, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_09_21;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiOS/FortiProxy SSL VPN Web Portal Path Traversal (CVE-2018-13379)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fgt_lang?lang="; fast_pattern; content:"|2e 2e 2f|"; distance:0; reference:url,devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/; reference:url,github.com/milo2012/CVE-2018-13379/blob/master/CVE-2018-13379.py; reference:cve,2018-13379; classtype:attempted-admin; sid:2034005; rev:1; metadata:affected_product Fortigate, created_at 2021_09_22, cve CVE_2018_13379, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_09_22, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Outbound (CVE-2021-32305)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; distance:0; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033856; rev:3; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, malware_family Mirai, confidence Medium, signature_severity Major, updated_at 2021_09_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Mirai Infection Attempt via OS Command Injection Inbound (CVE-2021-32305)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/search.php?search=|22 3b|/bin/bash+wget+http://"; fast_pattern; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/R"; content:"|3b|+"; distance:0; within:50; reference:url,unit42.paloaltonetworks.com/cve-2021-32305-websvn/; reference:cve,2021-32305; classtype:attempted-admin; sid:2033857; rev:2; metadata:created_at 2021_08_31, cve CVE_2021_32305, deployment Perimeter, malware_family Mirai, confidence Medium, signature_severity Major, updated_at 2021_09_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno Vulnerability (post-auth shell injection)"; http.method; content:"POST"; http.uri; content:"/set.cgi?cmd=diag_traceroute"; fast_pattern; http.request_body; content:"&hostname="; pcre:"/^[^&\r\n]+(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:url,gynvael.coldwind.pl/?id=742; classtype:attempted-admin; sid:2033971; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_09_22;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Netgear Seventh Inferno Vulnerability (fake packet upload)"; http.method; content:"POST"; http.uri; content:"/cgi/get.cgi?cmd=home_login"; http.content_type; content:"multipart/form-data"; http.content_len; byte_test:0,>=,300000000,0,string,dec; reference:url,gynvael.coldwind.pl/?id=742; classtype:attempted-admin; sid:2033970; rev:3; metadata:attack_target Networking_Equipment, created_at 2021_09_16, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_09_22;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Pulse Secure Post-Auth OS Command Injection (CVE-2019-11539)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/diag/diag.cgi"; fast_pattern; content:"&options="; distance:0; content:"-r"; distance:0; reference:url,packetstormsecurity.com/files/154376/Pulse-Secure-8.1R15.1-8.2-8.3-9.0-SSL-VPN-Remote-Code-Execution.html; reference:url,packetstormsecurity.com/files/155277/Pulse-Secure-VPN-Arbitrary-Command-Execution.html; reference:cve,2019-11539; classtype:attempted-admin; sid:2034014; rev:1; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_09_23, cve CVE_2019_11539, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_09_23, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix ShareFile RCE Inbound (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"upload.aspx"; content:"id=../"; fast_pattern; content:"bp="; content:"accountid="; reference:url,codewhitesec.blogspot.com/2021/09/citrix-sharefile-rce-cve-2021-22941.html; reference:cve,2021-22941; classtype:attempted-admin; sid:2034033; rev:1; metadata:attack_target Server, created_at 2021_09_27, cve CVE_2021_22941, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_09_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter RCE Exploitation Attempt M2 (CVE-2021-22005)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&_i=."; content:"../../"; fast_pattern; reference:cve,2021-22005; classtype:attempted-admin; sid:2034037; rev:1; metadata:attack_target Server, created_at 2021_09_28, cve CVE_2021_22005, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_09_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M1 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3b"; distance:0; pcre:"/^(?:%[a-f0-9]{2}){5,}/R"; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034043; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_09_29, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco HyperFlex OS Command Injection M2 (CVE-2021-1497)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/auth"; startswith; http.request_body; content:"username="; content:"password="; nocase; fast_pattern; content:"%3bimport|20|"; distance:0; reference:url,swarm.ptsecurity.com/cisco-hyperflex-how-we-got-rce-through-login-form-and-other-findings/; reference:cve,2021-1497; classtype:attempted-admin; sid:2034044; rev:1; metadata:attack_target Server, created_at 2021_09_29, cve CVE_2021_1497, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_09_29, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (web.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/WEB-INF/web.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034150; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_07;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (seraph-config.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/WEB-INF/classes/seraph-config.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034151; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_07;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (pom.properties) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.properties"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034152; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_07;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Pre-Authorization Arbitrary File Read Attempt (pom.xml) (CVE-2021-26085)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/123cfx/_/|3b|/META-INF/maven/com.atlassian.confluence/confluence-webapp/pom.xml"; nocase; fast_pattern; http.header_names; content:!"Cookie|0d 0a|"; content:!"Authorization|0d 0a|"; reference:url,packetstormsecurity.com/files/164401/Atlassian-Confluence-Server-7.5.1-Arbitrary-File-Read.html; reference:cve,2021-26085; classtype:attempted-admin; sid:2034153; rev:1; metadata:attack_target Server, created_at 2021_10_07, cve CVE_2021_26085, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_07;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Aviatrix Controller Unrestricted File Upload with Path Traversal Inbound (CVE-2021-40870)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"action=set_metric_gw_selections&account_name="; fast_pattern; content:"../../"; distance:0; within:10; content:"&data="; reference:cve,2021-40870; classtype:attempted-admin; sid:2034159; rev:1; metadata:created_at 2021_10_09, cve CVE_2021_40870, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_10_09, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible EyesOfNetwork Remote File Upload with PHP WebShell Inbound (CVE-2021-27513)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/module/admin_itsm/ajax.php"; http.request_body; content:"|0d 0a 0d 0a|<?php"; fast_pattern; content:"name=|22|itsm_type_request|22|"; distance:0; reference:cve,2021-27513; classtype:attempted-admin; sid:2034160; rev:1; metadata:attack_target Server, created_at 2021_10_09, cve CVE_2021_27513, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT RUIJIE NBR/RGNBR Command Injection Attempt Inbound M1"; flow:established,to_server; http.uri; content:"/wget_test.asp?"; fast_pattern; content:"="; distance:0; within:5; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2034161; rev:1; metadata:attack_target Server, created_at 2021_10_09, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT RUIJIE NBR/RGNBR Command Injection Attempt Inbound M2"; flow:established,to_server; http.uri; content:"/wget_test.asp?"; fast_pattern; http.uri.raw; content:"="; pcre:"/^%(?:3b|0a|26|60|7C|24)/R"; classtype:attempted-admin; sid:2034162; rev:1; metadata:attack_target Server, created_at 2021_10_09, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_10_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT File Sharing Wizard 1.5.0 - SEH Overflow Inbound (CVE-2019-16724)"; flow:established,to_server; content:"|eb 32 90 90 7f a6 38 7c|"; fast_pattern; content:"|20|HTTP/"; distance:0; content:"|0d 0a 0d 0a|"; distance:3; within:4; reference:cve,2019-16724; classtype:attempted-admin; sid:2034092; rev:2; metadata:attack_target Server, created_at 2021_10_01, cve CVE_2019_16724, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_10_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (CVE-2021-42013) M1"; flow:established,to_server; content:"/.%%32%65/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"/.%%32%65/"; reference:cve,2021-42013; classtype:attempted-admin; sid:2034172; rev:2; metadata:created_at 2021_10_09, cve CVE_2021_42013, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_10_12, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (CVE-2021-42013) M2"; flow:established,to_server; content:"/%%32%65%%32%65/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"/%%32%65%%32%65/"; reference:cve,2021-42013; classtype:attempted-admin; sid:2034173; rev:2; metadata:created_at 2021_10_09, cve CVE_2021_42013, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_10_12, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server - Path Traversal Attempt (Unassigned CVE)"; flow:established,to_server; content:"%%%25%33%32%25%36%35/"; fast_pattern; http.uri; pcre:"/^\/(?:icons|cgi-bin)/"; http.uri.raw; content:"%%%25%33%32%25%36%35/"; classtype:attempted-admin; sid:2034174; rev:2; metadata:created_at 2021_10_09, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_10_12, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Wireless IP Camera (P2) WIFICAM Remote Code Execution"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/set_ftp.cgi?"; fast_pattern; content:"loginuse="; content:"next_url=ftp.htm"; content:"loginpas="; reference:url,pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html; classtype:attempted-admin; sid:2030309; rev:4; metadata:affected_product Linux, attack_target IoT, created_at 2020_06_11, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_10_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webhooks/aws"; nocase; fast_pattern; http.request_body; content:"|22|SubscribeURL|22 20 3a 20 22 7c|"; nocase; content:"|22|Signature|22 3a|"; nocase; reference:url,0day.click/recipe/discourse-sns-rce/; reference:cve,2021-41163; classtype:attempted-admin; sid:2034252; rev:1; metadata:attack_target Server, created_at 2021_10_25, cve CVE_2021_41163, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_10_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Shiro 1.2.4 Cookie RememberME Deserial RCE (CVE-2016-4437)"; flow:established,to_server; http.cookie; content:"rememberMe="; startswith; fast_pattern; bsize:>125; reference:url,issues.apache.org/jira/browse/SHIRO-550; reference:cve,2016-4437; classtype:attempted-admin; sid:2034256; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2016_4437, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 37777 (msg:"ET EXPLOIT Amcrest Camera and NVR Buffer Overflow Attempt (CVE-2020-5735)"; flow:established,to_server; http.cookie; content:"|62 00 00 00|"; startswith; content:"Protocol|3a 20|"; distance:0; fast_pattern; content:"|0d 0a|"; distance:200; reference:url,www.exploit-db.com/exploits/48304; reference:cve,2016-4437; reference:cve,2020-5735; classtype:attempted-admin; sid:2034257; rev:2; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2020_5735, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8983 (msg:"ET EXPLOIT Apache Solr RCE via Velocity Template M1 (CVE-2019-17558)"; flow:established,to_server; http.method; content:"POST"; bsize:4; http.uri; content:"/solr/test/config"; nocase; endswith; http.request_body; content:"solr.VelocityResponseWriter"; nocase; fast_pattern; content:"params.resource.loader.enabled"; nocase; pcre:"/[^\r\n]*true/Ri"; reference:url,www.exploit-db.com/exploits/48338; reference:cve,2019-17558; classtype:attempted-admin; sid:2034258; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_17558, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8983 (msg:"ET EXPLOIT Apache Solr RCE via Velocity Template M2 (CVE-2019-17558)"; flow:established,to_server; http.method; content:"GET"; bsize:3; http.uri; content:"/select"; nocase; endswith; content:"wt=velocity"; nocase; distance:0; content:"v.template=custom"; nocase; content:"v.template.custom="; nocase; fast_pattern; reference:url,www.exploit-db.com/exploits/48338; reference:cve,2019-17558; classtype:attempted-admin; sid:2034259; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2019_17558, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8080 (msg:"ET EXPLOIT Furukawa Electric ConsciusMAP 2.8.1 Java Deserialization Remote Code Execution (CVE-2020-12133)"; flow:established,to_server; http.method; content:"POST"; bsize:4; http.uri; pcre:"/\x2f(?:FURUKAWA|APROS)\x2f/i"; http.request_body; content:"javax.faces.ViewState"; nocase; fast_pattern; content:"|3a|"; distance:0; content:"|22|"; distance:0; reference:url,packetstormsecurity.com/files/157383/Furukawa-Electric-ConsciusMAP-2.8.1-Java-Deserialization-Remote-Code-Execution.html; reference:cve,2020-12133; classtype:attempted-admin; sid:2034260; rev:2; metadata:created_at 2021_10_27, cve CVE_2020_12133, confidence High, signature_severity Major, updated_at 2023_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] 8090 (msg:"ET EXPLOIT Confluence Server Path Traversal Vulnerability (CVE-2019-3398)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"plugins/drag-and-drop/upload.action"; nocase; fast_pattern; content:"draftId="; nocase; distance:0; content:"filename="; nocase; content:"/shell.jsp"; nocase; content:"atl_token"; nocase; http.request_body; content:"<%"; reference:url,github.com/superevr/cve-2019-3398/blob/master/poc.py; reference:cve,2019-3398; classtype:attempted-admin; sid:2034261; rev:1; metadata:created_at 2021_10_27, cve CVE_2019_3398, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_10_27, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA and Firepower Path Traversal Vulnerability M1 (CVE-2020-3452)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/translation-table?"; nocase; fast_pattern; content:"type=mst"; content:"textdomain="; content:"&lang="; content:"|2e 2e|"; reference:url,twitter.com/aboul3la/status/1286012324722155525; reference:cve,2020-3452; classtype:attempted-admin; sid:2034262; rev:1; metadata:created_at 2021_10_27, cve CVE_2020_3452, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_10_27, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco ASA and Firepower Path Traversal Vulnerability M2 (CVE-2020-3452)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/oem-customization?"; nocase; fast_pattern; content:"app=AnyConnect"; nocase; content:"type=oem"; nocase; content:"platform="; nocase; content:"resource-type="; nocase; content:"name="; nocase; content:"|2e 2e|"; reference:url,twitter.com/aboul3la/status/1286141887716503553; reference:cve,2020-3452; classtype:attempted-admin; sid:2034263; rev:1; metadata:created_at 2021_10_27, cve CVE_2020_3452, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_10_27, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PHP Melody v3.0 SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vid="; content:"|2d 27 20|AND|20 28|SELECT|20|"; content:"|28|SELECT|28|SLEEP|28 5b|SLEEPTIME|5d 29 29 29 2d 2d|"; distance:9; fast_pattern; reference:url,"vulnerability-lab.com/get_content.php?id=2295"; classtype:trojan-activity; sid:2034270; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_27, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2021_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PHP Melody v3.0 SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?vid="; content:"UNION|20|ALL|20|SELECT|20|NULL|2c|NULL|2c|NULL|2c|NULL|2c|NULL|2c|NULL"; fast_pattern; distance:0; reference:url,"vulnerability-lab.com/get_content.php?id=2295"; classtype:trojan-activity; sid:2034271; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_10_27, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_10_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IP Phones Web Server Vulnerability (CVE-2020-3161)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/deviceconfig/setActivationCode?params="; nocase; fast_pattern; isdataat:150,relative; reference:url,github.com/tenable/poc/blob/master/cisco/ip_phone/cve_2020_3161.txt; reference:cve,2020-3161; classtype:attempted-admin; sid:2034277; rev:1; metadata:attack_target Server, created_at 2021_10_28, cve CVE_2020_3161, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco RV320/RV325 RCE (CVE-2019-1653)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"certificate_handle2.htm"; nocase; fast_pattern; http.request_body; content:"page=self_generator.htm"; nocase; content:"common_name="; pcre:"/[^\r\n]*(?:\x60|\x24|\x7c|\bsh\b)/Ri"; reference:url,www.redteam-pentesting.de/en/advisories/rt-sa-2018-004/-cisco-rv320-command-injection; reference:cve,2019-1653; classtype:attempted-admin; sid:2034278; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_10_28, cve CVE_2019_1653, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_10_28;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 2 Inbound - Upload Malicious Config (CVE-2020-8260)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana-admin/cached/config/import.cgi"; http.referer; content:"/dana-admin/cached/config/config.cgi?type=system"; fast_pattern; xbits:isset,ET.2020_8260.1,track ip_src,expire 10; xbits:set,ET.2020_8260.2,track ip_src,expire 10; noalert; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033751; rev:2; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Chain Stage 1 Inbound - Request Config Backup (CVE-2020-8260)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-admin/cached/config/config.cgi?type=system"; fast_pattern; xbits:set,ET.2020_8260.1,track ip_src,expire 10; noalert; reference:url,packetstormsecurity.com/files/160619/Pulse-Secure-VPN-Remote-Code-Execution.html; reference:cve,2020-8260; classtype:attempted-admin; sid:2033750; rev:2; metadata:affected_product Pulse_Secure, attack_target Server, created_at 2021_08_20, cve CVE_2020_8260, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_10_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2018_15811, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Cookie SQLi (CVE-2020-9465)"; flow:established,to_server; http.uri; content:"/login.php"; endswith; fast_pattern; http.cookie; content:"user_id="; nocase; startswith; pcre:"/^[^\r\n=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-9465; classtype:attempted-admin; sid:2034309; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_9465, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Generate API Key SQLi (CVE-2020-8656)"; flow:established,to_server; http.uri; content:"/eonapi/getApiKey"; fast_pattern; content:"username="; nocase; startswith; pcre:"/^[^&=]*(?:union|select)/Ri"; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8657; reference:cve,2020-8656; classtype:attempted-admin; sid:2034310; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8656, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT EyesOfNetwork Autodiscover Command Injection (CVE-2020-8654)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/lilac/autodiscovery.php"; endswith; fast_pattern; http.request_body; content:"request=autodiscover"; nocase; content:"job_name="; nocase; content:"nmap_binary"; nocase; content:"target[]"; nocase; content:"os.execute("; nocase; reference:url,www.exploit-db.com/exploits/48169; reference:cve,2020-8654; reference:cve,2020-8655; classtype:attempted-admin; sid:2034311; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_8654, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/eurekaservice/fetchLogFiles"; endswith; fast_pattern; http.request_body; content:"instanceId"; nocase; content:"logLevel"; nocase; content:"logFileNameList"; nocase; content:"|2e 2e|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; reference:cve,2020-4430; classtype:attempted-admin; sid:2034312; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_4430, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT GoCD Authentication Bypass URI Path - add-on"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/add-on/"; nocase; fast_pattern; content:"pluginName="; content:"|2e 2e 2f|"; distance:0; within:5; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; classtype:attempted-admin; sid:2034331; rev:1; metadata:created_at 2021_11_02, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2021_11_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT GoCD Authentication Bypass Successful Leak"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"agentAutoRegisterKey="; nocase; fast_pattern; content:"webhookSecret="; nocase; content:" tokenGenerationKey="; nocase; flowbits:isset,ET.gocd.auth; reference:url,blog.sonarsource.com/gocd-pre-auth-pipeline-takeover; reference:url,attackerkb.com/topics/ShpnUFlqDz/pre-auth-takeover-of-build-pipelines-in-gocd-cve-2021-43287/rapid7-analysis; classtype:attempted-admin; sid:2034333; rev:1; metadata:created_at 2021_11_02, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2023_04_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Windows VBScript Engine VbsErase Memory Corruption (CVE-2019-0667)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<script"; content:"Class|20|"; pcre:"/^(?P<class>[A-Z0-9_-]{1,20})\s*.*?(?P<var>[A-Z0-9_-]{1,15})\s*=\s*(?:&amp\x3b|0x|\\x|&?h)*\d{8}\s*.*?(?:ReDim|Dim)\s*(?P=var)\(\d{4,20}\).*?set\s*(?P=var)\(\d+\)\s*=\s*new\s*(?P=class).*?Erase\s*(?P=var).*?Erase\s*(?P=var)/Rsi"; content:"Erase|20|"; fast_pattern; content:"Dim|20|"; reference:cve,2019-0667; classtype:attempted-admin; sid:2033733; rev:4; metadata:attack_target Server, created_at 2021_08_13, cve CVE_2019_0667, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag Exploit, updated_at 2021_11_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Authentication Bypass Attempt (CVE-2021-40539)"; flow:established,to_server; http.uri; content:"/./RestAPI/"; startswith; fast_pattern; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034362; rev:1; metadata:created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Arbritrary File Upload Attempt (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/"; http.request_body; content:"form-data|3b 20|name=|22|methodToCall|22|"; fast_pattern; content:"unspecified"; distance:0; within:30; content:"|20|name=|22|Save|22|"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034363; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - .jsp WebShell Upload Attempt (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/"; http.request_body; content:"form-data|3b 20|name=|22|methodToCall|22|"; fast_pattern; content:"unspecified"; distance:0; within:30; content:"|20|name=|22|Save|22|"; content:"filename=|22|"; pcre:"/^[^\x22]+\.jsp\x22/R"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034364; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine AdSelfService Plus - Possible Code Execution via openSSLTool (CVE-2021-40539)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/Connection"; http.request_body; content:"methodToCall=openSSLTool"; nocase; content:"+-providerclass"; fast_pattern; content:"+-providerpath"; reference:url,www.synacktiv.com/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html; reference:cve,2021-40539; classtype:attempted-admin; sid:2034365; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_40539, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible MovableTypePoC RCE Inbound (CVE-2021-20837)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"mt-xmlrpc.cgi"; fast_pattern; http.request_body; content:"<?"; content:"<base64>"; distance:0; base64_decode:offset 0,relative; base64_data; content:"|60|"; startswith; reference:cve,2021-20837; classtype:attempted-admin; sid:2034366; rev:1; metadata:attack_target Server, created_at 2021_11_09, cve CVE_2021_20837, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2023_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Engineers Online Portal System Webshell Upload (CVE-2021-42669)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"teacher_avatar.php"; fast_pattern; http.request_body; content:"<?php"; reference:cve,2021-42669; classtype:attempted-admin; sid:2034453; rev:1; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_42669, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Engineers Online Portal System Access Control Bypass (CVE-2021-42671)"; flow:established,to_server; http.uri; content:"/nia_munoz_monitoring_system/admin/uploads"; fast_pattern; reference:cve,2021-42671; classtype:attempted-admin; sid:2034454; rev:1; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_42671, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Gitlab CE/EE Image Parser RCE Inbound (CVE-2021-22205)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploads/user"; http.request_body; content:"Content-Type|3a 20|image/jpeg"; content:"DJVMDIRM|00|"; content:"DJVIANT"; content:"|7b|"; content:"|7d|"; distance:0; within:400; reference:cve,2021-22205; classtype:attempted-admin; sid:2034455; rev:2; metadata:attack_target Server, created_at 2021_11_13, cve CVE_2021_22205, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UPnP UUID Password Change Exploit Attempt Inbound - XR300 PoC Gadgets (CVE-2021-34991)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; http.request_body; content:"|b7 05 00|"; content:"|e0 e7 02|"; distance:10; within:10; reference:url,kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168; reference:url,blog.grimm-co.com/2021/11/seamlessly-discovering-netgear.html; reference:cve,2021-34991; classtype:attempted-admin; sid:2034493; rev:2; metadata:attack_target Server, created_at 2021_11_18, cve CVE_2021_34991, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UPnP UUID Password Change Exploit Attempt Inbound - R6700V3 PoC Gadgets (CVE-2021-34991)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; http.request_body; content:"|d0|j|06 00|"; content:"|81 01 00|"; distance:10; within:10; reference:url,kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168; reference:url,blog.grimm-co.com/2021/11/seamlessly-discovering-netgear.html; reference:cve,2021-34991; classtype:attempted-admin; sid:2034494; rev:1; metadata:attack_target Server, created_at 2021_11_18, cve CVE_2021_34991, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-0646)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"_vti_bin"; content:"/webpartpages.asmx"; endswith; http.request_body; content:"<?xml"; content:"System.Diagnostics.Process.Start"; fast_pattern; reference:url,dl.packetstormsecurity.net/2003-exploits/sharepoint_workflows_xoml.rb.txt; reference:cve,2020-0646; classtype:attempted-admin; sid:2034509; rev:1; metadata:created_at 2021_11_18, cve CVE_2020_0646, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2021_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible TerraMaster TOS RCE Inbound (CVE-2020-28188 CVE-2020-35665)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/makecvs.php?Event="; fast_pattern; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; http.uri.raw; content:"%20"; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/; reference:cve,2020-28188; reference:cve,2020-35665; classtype:attempted-admin; sid:2031535; rev:3; metadata:attack_target Server, created_at 2021_01_21, cve CVE_2020_28188, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2021_11_18;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Delete User Configuration - xbit set 1 (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|DeleteUserConfiguration>"; xbits:set,ET.2021.42321.1,track ip_src,expire 30; noalert; reference:cve,2021-42321; classtype:attempted-admin; sid:2034519; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Create User Configuration - xbit set 2 (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|CreateUserConfiguration>"; content:"|3a|UserConfiguration>"; content:"|3a|BinaryData>"; base64_decode:offset 0, relative; base64_data; content:"|00|"; depth:10; xbits:isset,ET.2021.42321.1,track ip_src,expire 30; xbits:unset,ET.2021.42321.1,track ip_src,expire 30; xbits:set,ET.2021.42321.2,track ip_src,expire 30; noalert; reference:cve,2021-42321; classtype:attempted-admin; sid:2034520; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Server Remote Code Execution Inbound (CVE-2021-42321)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; fast_pattern; http.request_body; content:"<?xml"; content:"<soap|3a|Body>"; content:"|3a|GetClientAccessToken>"; content:"|3a|TokenRequests>"; xbits:isset,ET.2021.42321.2,track ip_src,expire 30; xbits:unset,ET.2021.42321.2,track ip_src,expire 30; reference:cve,2021-42321; classtype:attempted-admin; sid:2034521; rev:1; metadata:attack_target Server, created_at 2021_11_22, cve CVE_2021_42321, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible FatPipe Unrestricted File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fpui/uploadConfigServlet?fileNumber="; nocase; fast_pattern; reference:url,ic3.gov/Media/News/2021/211117-2.pdf; classtype:attempted-admin; sid:2034530; rev:1; metadata:attack_target Server, created_at 2021_11_22, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI <= 5.6.5 Privesc (CVE-2019-15949)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"name="; pcre:"/^[\s\x22\x27]*upload\b/Ri"; content:"name="; distance:0; pcre:"/^[\s\x22\x27]*uploadedfile\b/Ri"; content:"filename="; distance:0; pcre:"/^[\s\x22\x27]*check_ping\b/Ri"; content:"check_ping"; nocase; fast_pattern; reference:url,github.com/jakgibb/nagiosxi-root-rce-exploit/blob/master/exploit.php; reference:cve,2019-15949; classtype:attempted-admin; sid:2034535; rev:1; metadata:attack_target Server, created_at 2021_11_23, cve CVE_2019_15949, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server SSRF (CVE-2021-40438)"; flow:established,to_server; urilen:>200; http.method; content:"GET"; http.uri; content:"/?unix|3a|"; nocase; fast_pattern; content:"|7c|http"; reference:cve,2021-40438; classtype:attempted-admin; sid:2034566; rev:2; metadata:attack_target Server, created_at 2021_11_30, cve CVE_2021_40438, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netgear DGN Remote Code Execution"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd="; fast_pattern; startswith; content:"&curpath=/&currentsetting.htm=1"; endswith; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:url,exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2034576; rev:3; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, created_at 2021_12_02, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_12_03, reviewed_at 2024_06_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT IE Scripting Engine Memory Corruption Vulnerability M2 (CVE-2019-0752)"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"<script"; content:"document.getelementbyid|28|"; nocase; content:".scroll"; nocase; fast_pattern; content:"Set"; nocase; pcre:"/^\s*(?P<obj>[\w\-]{1,20})\s*=\s*document\.getElementById\(.{1,500}Class\s*(?P<class>[\w\-]{1,20}).{1,500}End\s*Class.{1,500}set\s*(?P=obj)\.scroll((Left|Top)(Max)?|Height|Width)\s*=\s*New\s*(?P=class)/Rsi"; reference:cve,2019-0752; classtype:attempted-user; sid:2034578; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_03, cve CVE_2019_0752, deployment Perimeter, performance_impact Significant, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_03;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter Unauthorized File Read Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vcav-"; fast_pattern; content:"?url=file|3a|"; classtype:attempted-admin; sid:2034582; rev:1; metadata:attack_target Server, created_at 2021_12_05, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware vCenter SSRF Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vcav-"; fast_pattern; content:"?url=http"; classtype:attempted-admin; sid:2034583; rev:1; metadata:attack_target Server, created_at 2021_12_05, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_12_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT MS-Officecmd Remote Code Execution Attempt"; flow:established,to_client; file.data; content:"ms-officecmd|3a|"; nocase; content:"LaunchOfficeAppForResult"; nocase; distance:0; fast_pattern; content:"filename"; nocase; distance:0; content:"|2d 2d|gpu|2d|launcher|3d|"; nocase; distance:0; reference:url,positive.security/blog/ms-officecmd-rce; classtype:attempted-user; sid:2034627; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_12_07, deployment Perimeter, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_12_07, reviewed_at 2023_08_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/SDK/webLanguage"; bsize:16; fast_pattern; http.request_body; content:"|3c|language|3e|"; nocase; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/CVE-2021-36260.py; reference:url,watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:cve,2021-36260; classtype:attempted-admin; sid:2034630; rev:2; metadata:affected_product IP_Camera, attack_target Networking_Equipment, created_at 2021_12_08, cve CVE_2021_36260, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_12_08;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT [CISA AA21-336A] Zoho ManageEngine ServiceDesk Possible Exploitation Activity (CVE-2021-44077)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/RestAPI/ImportTechnicians"; fast_pattern; http.request_body; content:"filename=|22|msiexec.exe|22|"; reference:url,us-cert.cisa.gov/ncas/alerts/aa21-336a; reference:cve,2021-44077; reference:url,attackerkb.com/topics/qv2aD8YfMN/cve-2021-44077/rapid7-analysis; classtype:attempted-admin; sid:2034577; rev:2; metadata:attack_target Server, created_at 2021_12_03, cve CVE_2021_44077, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag possible_exploitation, tag CISA_KEV, updated_at 2021_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034647; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034648; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034649; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034650; rev:1; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034652; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034651; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034653; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034654; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034655; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034656; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034657; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034658; rev:2; metadata:attack_target Server, created_at 2021_12_10, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)"; flow:established,to_server; http.request_line; content:"POST /cgi?2"; startswith; fast_pattern; http.request_body; content:"|5b|IPPING|5f|DIAG|23|"; nocase; content:"host="; distance:0; nocase; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,k4m1ll0.com/cve-2021-41653.html; reference:url,www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability; reference:cve,2021-41653; classtype:attempted-admin; sid:2034677; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_12_11, cve CVE_2021_41653, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2021_12_11;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034667; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034668; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034676; rev:1; metadata:attack_target Server, created_at 2021_12_13, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|AWS_ACCESS_KEY_ID"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034699; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034659; rev:2; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (CVE-2021-44228)"; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034660; rev:3; metadata:attack_target Server, created_at 2021_12_11, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)\x3a(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034671; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (CVE-2021-44228)"; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034672; rev:2; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034700; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034701; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034702; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (CVE-2021-44228)"; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034703; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034706; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (CVE-2021-44228)"; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034707; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034708; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (CVE-2021-44228)"; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034709; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034710; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034711; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034712; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034713; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034714; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034715; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034716; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (CVE-2021-44228)"; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034717; rev:1; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT AjaxPro RCE Attempt (CVE-2021-23758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajaxpro/"; fast_pattern; http.request_body; content:"|5f 5f|type"; content:"Object"; nocase; reference:url,twitter.com/sirifu4k1/status/1470647490; reference:cve,2021-23758; classtype:attempted-admin; sid:2034729; rev:2; metadata:attack_target Server, created_at 2021_12_14, cve CVE_2021_23758, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_12_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp dns) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034763; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034764; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034767; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldaps) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034768; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, reviewed_at 2024_05_07;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Obfuscated log4j RCE Attempt (tcp ldap) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|env|3a|NaN|3a|-j|7d|ndi|24 7b|env|3a|NaN|3a|"; nocase; fast_pattern; content:"|24 7b|env|3a|NaN|3a|-l|7d|dap|24|"; reference:url,twitter.com/bad_packets/status/1471253695459332102; reference:cve,2021-44228; classtype:attempted-admin; sid:2034755; rev:1; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034750; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - Base64 jndi (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|base64|3a|JHtqbmRp"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034751; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M1 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%24)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034781; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M1 (Outbound) (CVE-2021-44228)"; content:"%7bjndi%3a"; nocase; fast_pattern; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034782; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp iiop) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034787; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp iiop) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|iiop|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034788; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp corba) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034789; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp corba) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|corba|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034790; rev:2; metadata:attack_target Client_and_Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nds) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034791; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nds) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nds|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034792; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (udp nis) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034793; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt (tcp nis) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|nis|3a|"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034794; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034795; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested upper (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|upper|3a 24 7b|upper|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034796; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034797; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - Nested lower (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b 24 7b|lower|3a 24 7b|lower|3a|jndi"; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034798; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034834; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; fast_pattern; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d|\x24\x7b\x3a\x3a\-(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d|\x24\x7b\x3a\x3a\-(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d|\x24\x7b\x3a\x3a\-(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034835; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper UDP Bypass M2 (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034799; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - lower/upper TCP Bypass M2 (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|"; nocase; fast_pattern; pcre:"/^(l|r|d|\x24\x7b(lower|upper)\x3a(l|r|d)\x7d)(d|n|m|\x24\x7b(lower|upper)\x3a(d|n|m)\x7d)(a|i|s|\x24\x7b(lower|upper)\x3a(a|i|s)\x7d)(p|\x24\x7b(lower|upper)\x3a(p)\x7d)/Ri"; content:"|3a 2f 2f|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034800; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)\x3a(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034836; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228)"; content:"%7b"; nocase; fast_pattern; pcre:"/^(j|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)j(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-j(\x7d|%7d))(n|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)n(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-n(\x7d|%7d))/Ri"; content:"|3a|"; distance:0; pcre:"/^(l|r|d|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(l|r|d)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(l|r|d)(\x7d|%7d))(d|n|m|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(d|n|m)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(d|n|m)(\x7d|%7d))(a|i|s|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)(a|i|s)(\x7d|%7d)|(\x24|%24)(\x7b|%7b)(\x3a|%3a){1,2}\-(a|i|s)(\x7d|%7d))(p|(\x24|%24)(\x7b|%7b)(lower|upper)(\x3a|%3a)p(\x7d|%7d))/Ri"; reference:cve,2021-44228; classtype:attempted-admin; sid:2034804; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034806; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt - AWS Access Key Disclosure (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|"; pcre:"/^(j|\x24\x7b(lower|upper)\x3aj\x7d|\x24\x7b\x3a\x3a\-j\x7d)(n|\x24\x7b(lower|upper)\x3an\x7d|\x24\x7b\x3a\x3a\-n\x7d)/Ri"; content:"|3a|"; distance:0; content:"|24 7b|env|3a|AWS_ACCESS_KEY_ID"; distance:0; reference:cve,2021-44228; classtype:attempted-admin; sid:2034807; rev:2; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_12_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle Coherence Deserialization RCE (CVE-2020-2555)"; flow:established,to_server; content:"|74 33 20 31 32 2e 32 2e 31 0a 41 53 3a 32 35 35|"; content:"javax.management.BadAttributeValueExpException"; nocase; fast_pattern; content:"weblogic.common.internal.PackageInfo"; reference:url,github.com/Y4er/CVE-2020-2555/blob/master/weblogic_t3.py; reference:url,www.zerodayinitiative.com/blog/2020/3/5/cve-2020-2555-rce-through-a-deserialization-bug-in-oracles-weblogic-server; reference:cve,2020-2555; classtype:attempted-admin; sid:2034780; rev:1; metadata:attack_target Server, created_at 2021_12_20, cve CVE_2020_2555, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2021_12_20;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j Uncontrolled Recursion Lookup (CVE-2021-45105)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b 24 7b 3a 3a 2d 24 7b 3a 3a 2d 24 24 7b 3a 3a 2d|"; fast_pattern; content:"|7d 7d 7d 7d|"; distance:0; within:6; reference:cve,2021-45105; classtype:attempted-admin; sid:2034839; rev:1; metadata:created_at 2021_12_22, cve CVE_2021_45105, confidence Medium, signature_severity Major, updated_at 2021_12_22, reviewed_at 2024_05_07;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Joomla RCE (CVE-2011-5148)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|"; content:"filename="; distance:0; pcre:"/\.(?:(php\d{0,}|phps|pht|phtm|phtml|shtml|htaccess|phar|inc))/Ri"; content:"base64_decode"; fast_pattern; distance:0; http.content_type; content:"image/gif"; distance:0; reference:url,www.exploit-db.com/exploits/18287; reference:cve,2011-5148; classtype:attempted-admin; sid:2034850; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, created_at 2021_12_30, cve CVE_2011_5148, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2023_04_06;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ELEFANTE/ElephantBeetle WebShell Access Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".jsp"; content:"zc="; distance:0; fast_pattern; reference:url,blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation; classtype:web-application-attack; sid:2034861; rev:1; metadata:created_at 2022_01_10, confidence Medium, signature_severity Major, updated_at 2022_01_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Qianxin Netcom NGFW Command Injection"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/directdata/direct/router"; http.request_body; content:"SSLVPN_Resource"; fast_pattern; content:"deleteImage"; content:"f8839p7rqtj"; reference:url,www.fatalerrors.org/a/national-hw-action-part-0-day-loopholes-reappear-in-2021.html; classtype:attempted-admin; sid:2034885; rev:1; metadata:created_at 2022_01_11, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_01_11, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (Outbound) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034805; rev:3; metadata:attack_target Server, created_at 2021_12_18, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (CVE-2021-44228)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034673; rev:3; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (tcp) (Outbound) (CVE-2021-44228)"; flow:established,to_server; stream_size:client,<,10000; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034786; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Unauthenticated File Upload Path Traversal (CVE-2021-20040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; content:"|2e 2f|"; distance:0; within:3; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20040; classtype:attempted-admin; sid:2034896; rev:1; metadata:created_at 2022_01_12, cve CVE_2021_20040, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_01_12, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; http.request_body; content:"bmName="; startswith; pcre:"/^[^&]{100,}/R"; threshold:type threshold, track by_src, count 3, seconds 60; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20043; classtype:attempted-admin; sid:2034897; rev:1; metadata:created_at 2022_01_12, cve CVE_2021_20043, confidence Medium, signature_severity Major, updated_at 2022_01_12;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M1 trigger_reset (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/restore"; http.request_body; content:"_token="; startswith; content:"&postback=1"; content:"&login=admin"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034929; rev:1; metadata:attack_target Server, created_at 2022_01_18, cve CVE_2021_32648, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT OctoberCMS Auth Bypass Inbound M2 set_password (CVE-2021-32648)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backend/backend/auth/reset/1/"; http.request_body; content:"{"; startswith; content:"_token"; content:"postback"; content:"id"; content:"code"; content:"true"; content:"password"; reference:url,github.com/Immersive-Labs-Sec/CVE-2021-32648/blob/main/cve-2021-32648.py; reference:cve,2021-32648; classtype:attempted-admin; sid:2034930; rev:1; metadata:attack_target Server, created_at 2022_01_18, cve CVE_2021_32648, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - File Upload Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; content:"/agentLogUploader?"; distance:0; content:"filename="; nocase; distance:0; pcre:"/^[a-zA-Z0-9]+\.(?:zip|7z|gz)/Ri"; content:"branchofficeid="; nocase; http.cookie; content:"STATE_COOKIE="; reference:url,attackerkb.com/topics/rJw4DFI2RQ/cve-2021-44515/rapid7-analysis; reference:cve,2021-44515; classtype:attempted-admin; sid:2034957; rev:2; metadata:created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_01_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/helpdesk/assetReport"; nocase; startswith; fast_pattern; http.request_body; content:"select"; nocase; content:"password"; nocase; http.content_type; content:"text/plain"; reference:url,blog.assetnote.io/2022/01/23/solarwinds-webhelpdesk-hsql-eval-harcoded-creds/; reference:cve,2021-35232; classtype:attempted-admin; sid:2034971; rev:1; metadata:created_at 2022_01_25, cve CVE_2021_35232, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_01_25;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix ShareFile Storage Zones Controller RCE Attempt (CVE-2021-22941)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/upload.aspx"; content:"id"; content:"|40|"; distance:0; content:"|2e 2e 2f|"; distance:0; content:"|2e|cshtml"; distance:0; fast_pattern; content:"bp"; content:"accountid"; http.header_names; content:"|0d 0a|Content-Type|0d 0a|"; reference:cve,2021-22941; classtype:attempted-admin; sid:2034972; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_22941, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/getServices?name"; fast_pattern; pcre:"/^(?:\x28|\x29|\x3c|\x3e|\x26|\x2a|\xe2|\x80|\x98|\x7c|\x3f|\x3b|\x5b|\x5d|\x5e|\x7e|\x21|\x2e|\xe2|\x80|\x9d|\x25|\x40|\x2f|\x5c|\x3a|\x2b|\x2c|\x60)/R"; content:"|3d|"; distance:0; within:10; reference:cve,2021-21315; classtype:attempted-admin; sid:2034973; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21315, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible vRealize Operations Manager API SSRF Attempt (CVE-2021-21975)"; flow:established,to_server; http.request_line; content:"POST /casa/nodes/thumbprints HTTP/1.1"; fast_pattern; http.request_body; content:"|5b|"; http.content_type; content:"application/json|3b|charset=UTF-8"; bsize:30; reference:cve,2021-21975; classtype:attempted-admin; sid:2034974; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21975, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_25;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P<addr>(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%64%b8%06%08"; distance:0; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034984; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M2"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P<addr>(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%08%b7%06%08"; distance:0; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034985; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Authenticated Command Injection Attempt CVE-2021-20039"; flow:established,to_server; http.request_line; content:"POST /cgi-bin/viewcert HTTP/1.1"; fast_pattern; http.request_body; content:"delete"; nocase; content:"CERT"; nocase; distance:0; content:"n"; nocase; content:"perl"; nocase; distance:0; content:"base64"; nocase; within:30; reference:cve,2021-20039; classtype:attempted-admin; sid:2034986; rev:1; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20039, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_01_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25296)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"plugin_output_len="; pcre:"/^[0-9]{1,10}\x3b/R"; reference:cve,2021-25296; classtype:attempted-admin; sid:2034992; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI OS Command Injection (CVE-2021-25297 & CVE-2021-25298)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nagiosxi/config/monitoringwizard.php?"; fast_pattern; content:"ip_address="; content:"|3b|"; within:30; reference:cve,2021-25296; reference:cve,2021-25297; classtype:attempted-admin; sid:2034993; rev:1; metadata:attack_target Server, created_at 2022_01_27, cve CVE_2021_25296_CVE_2021_25297, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache ShardingSphere RCE Attempt (CVE-2020-1947) (PoC Based)"; flow:established,to_server; http.request_line; content:"POST|20|/api/schema|20|HTTP/1.1"; http.request_body; content:"ruleConfiguration"; nocase; content:"encryptor"; nocase; content:"|22|dataSourceConfiguration|22 3a 20 22 21 21|com|2e|sun|2e|rowset|2e|JdbcRowSetImpl|5c|n"; nocase; fast_pattern; content:"dataSourceName:"; nocase; content:"Object"; nocase; distance:0; within:60; reference:cve,2020-1947; classtype:attempted-admin; sid:2035008; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_1947, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Struts RCE Attempt (CVE-2020-17530)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"="; pcre:"/^(%25|%)(%7b|{)(%28|\()(%23|#)/R"; content:"instancemanager"; nocase; fast_pattern; pcre:"/^(%3d|=)(%23|#)application(%5b|\[)(%22|")org(%2e|\.)apache(%2e|\.)tomcat(%2e|\.)instancemanager(%22|")(%5d|\])(%29|\))(%2e|\.)(%28|\()(%23|#)(ognlstack|stack)(%3d|=)(%23|#)attr(%5b|\[)(%22|")com(%2e|\.)opensymphony(%2e|\.)xwork2(%2e|\.)util(%2e|\.)valuestack(%2e|\.)valuestack(%22|")(%5d|\])(%29|\))(%2e|\.)(%28|\()(%23|#)/Rsi"; content:"bean"; distance:0; within:200; content:"java"; distance:0; within:400; content:"execute"; distance:0; pcre:"/^(%2e|\.)exec/Ri"; reference:cve,2020-17530; classtype:attempted-admin; sid:2035009; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_17530, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Possible Cisco REST API Container for Cisco IOS XE Software Authentication Bypass Attempt (CVE-2019-12643)"; flow:established,to_server; flowbits:set,ET.Cisco_ABypass; http.request_line; content:"GET /api/v1/auth/token-services/debug HTTP/1.1"; nocase; fast_pattern; http.accept; content:"application/json"; bsize:16; reference:cve,2019-12643; classtype:attempted-admin; sid:2035010; rev:2; metadata:created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http [$HOME_NET,$HTTP_SERVERS] 55443 -> any any (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Successful Exploit (CVE-2019-12643)"; flow:established,from_server; flowbits:isset,ET.Cisco_ABypass; http.stat_code; content:"200"; file.data; content:"|5b 7b 22|last-access-time|22 3a|"; fast_pattern; content:"|22|token-id|22 3a 20 22|"; within:200; pcre:"/^[a-zA-Z0-9]{5,40}/R"; xbits:set,ET.Cisco_ABypass,track ip_pair,expire 60; reference:cve,2019-12643; classtype:successful-admin; sid:2035011; rev:2; metadata:created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] 55443 (msg:"ET EXPLOIT Cisco REST API Container for Cisco IOS XE Software Authentication Bypass - Token Usage (CVE-2019-12643)"; flow:established,to_server; xbits:isset,ET.Cisco_ABypass,track ip_pair,expire 60; http.method; content:"GET"; http.header_names; content:"X-auth-token"; nocase; reference:cve,2019-12643; classtype:successful-admin; sid:2035012; rev:2; metadata:created_at 2022_01_28, cve CVE_2019_12643, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert tcp any any -> any any (msg:"ET EXPLOIT Oracle WebLogic IIOP JNDI Injection (CVE-2020-14841)"; flow:established,to_server; content:"corbaloc|3a|iiop|3a|"; nocase; fast_pattern; pcre:"/^[a-zA-Z0-9]{7,200}/R"; content:"idl|3a|weblogic/corba/cos/naming/namingcontextany"; nocase; reference:cve,2020-14841; classtype:attempted-admin; sid:2035013; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_14841, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> any any (msg:"ET EXPLOIT Sangoma Asterisk Originate AMI RCE (CVE-2019-18610) (PoC Based)"; content:"Action|3a 20|Originate"; nocase; distance:0; fast_pattern; content:"Data|3a|"; nocase; distance:0; content:"|20|/tmp/"; nocase; within:45; reference:cve,2019-18610; classtype:attempted-admin; sid:2035014; rev:2; metadata:created_at 2022_01_28, cve CVE_2019_18610, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2022_01_28;)

alert tcp-pkt any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Spark RPC - Unauthenticated RegisterApplication Request (CVE-2020-9480)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_UnauthRegisterApplication; flowbits:isnotset,ET.ApacheSpark_AuthAttempted; flowbits:isnotset,ET.ApacheSpark_CE; content:"org.apache.spark.deploy.DeployMessages$RegisterApplication"; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:attempted-admin; sid:2035003; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_01_28; target:dest_ip;)

alert tcp-pkt any any -> $HOME_NET any (msg:"ET EXPLOIT Apache Spark RPC - Unauthenticated RegisterApplication Request - RCE Attempt (CVE-2020-9480)"; flow:established,to_server; flowbits:set,ET.ApacheSpark_UnauthRegisterApplication; flowbits:isnotset,ET.ApacheSpark_AuthAttempted; flowbits:isnotset,ET.ApacheSpark_CE; content:"org.apache.spark.deploy.DeployMessages$RegisterApplication"; content:"spark.driver.port="; distance:0; pcre:"/^\d+..(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))-XX:OnOutOfMemoryError=/R"; content:"-XX:OnOutOfMemoryError="; fast_pattern; reference:cve,2020-9480; reference:url,www.youtube.com/watch?v=EAzdGo-i8vE; reference:url,github.com/ayoul3/sparky/; classtype:attempted-admin; sid:2035005; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_9480, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, updated_at 2022_01_28;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MetInfo 7.0 SQL Injection (CVE-2019-17418)"; flow:established,to_server; http.uri; content:"/admin/?"; content:"a=doSearchParameter"; fast_pattern; distance:0; content:"appno=0"; pcre:"/^[^&=]*(?:union|select|update|insert|delete)/Ri"; reference:url,nvd.nist.gov/vuln/detail/CVE-2019-17418; reference:cve,2019-17418; classtype:attempted-admin; sid:2035018; rev:1; metadata:attack_target Server, created_at 2022_01_31, cve CVE_2019_17418, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_01_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MetInfo 7.0 SQL Injection (CVE-2019-16997)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/?"; content:"a=doExportPack"; fast_pattern; distance:0; http.request_body; content:"appno="; startswith; pcre:"/^[^&=]*(?:union|select|update|insert|delete)/Ri"; reference:url,y4er.com/post/metinfo7-sql-tips/#sql-injection-2; reference:cve,2019-16997; classtype:attempted-admin; sid:2035019; rev:1; metadata:attack_target Server, created_at 2022_01_31, cve CVE_2019_16997, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_01_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Airflow DAG Example RCE Attempt - Create DAG (CVE-2020-11978)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/experimental/dags/sample_trigger_target_dag/dag_runs"; fast_pattern; reference:cve,2020-11978; classtype:attempted-admin; sid:2035035; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_11978, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_02_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Airflow DAG Example RCE Attempt - Unpause (CVE-2020-11978)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/experimental/dags/sample_trigger_target_dag/paused/false"; fast_pattern; reference:cve,2020-11978; classtype:attempted-admin; sid:2035036; rev:1; metadata:attack_target Server, created_at 2022_02_01, cve CVE_2020_11978, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_02_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix SD-WAN Unauthenticated RCE (CVE-2020-8271)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|3a 2f 2f 3f 2f|collector|2f|"; fast_pattern; reference:cve,2020-8271; classtype:attempted-admin; sid:2035093; rev:1; metadata:attack_target Server, created_at 2022_02_03, cve CVE_2020_8271, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_02_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - athena (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/athena/"; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035105; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_02_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator SQL Injection (CVE-2020-3984)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/portal/"; http.request_body; content:"softwareUpdate/getSoftwareUpdates"; fast_pattern; content:"|22|modulus|22 3a|"; content:"UNION SELECT"; nocase; distance:0; reference:cve,2020-3984; classtype:attempted-admin; sid:2035104; rev:2; metadata:attack_target Server, created_at 2022_02_04, cve CVE_2020_3984, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_02_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Path Traversal (CVE-2020-4000)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"portal/rest/meta/"; fast_pattern; content:"?"; content:"|2e 2e 2f|"; reference:cve,2020-4000; classtype:attempted-admin; sid:2035103; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_4000, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_02_04, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware SD-WAN Orchestrator Authentication Bypass (CVE-2020-4001)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|login|2f|doResetPassword|2e|html"; http.request_body; content:"super|40|velocloud|2e|net"; fast_pattern; content:"|7b|CLEAR|7b|"; nocase; content:"logicalId"; nocase; reference:cve,2020-4001; classtype:attempted-admin; sid:2035102; rev:2; metadata:created_at 2022_02_04, cve CVE_2020_4001, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_02_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix App Delivery Controller and Citrix Gateway M1 (CVE-2019-19781)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/newbm.pl"; nocase; fast_pattern; endswith; http.header_names; content:"|0d 0a|NSC_USER|0d 0a|"; nocase; content:"|0d 0a|NSC_NONCE|0d 0a|"; nocase; http.request_body; content:"template.new"; nocase; content:"url="; nocase; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2034279; rev:2; metadata:attack_target Server, created_at 2021_10_28, cve CVE_2019_19781, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_02_04, reviewed_at 2023_08_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781)"; flow:established,to_server; http.uri; content:"/vpns/"; nocase; fast_pattern; http.uri.raw; content:"/../"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2029206; rev:5; metadata:attack_target Server, created_at 2019_12_30, cve CVE_2019_19781, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Citrix Application Delivery Controller Arbitrary Code Execution Attempt (CVE-2019-19781) M4"; flow:established,to_server; http.uri; content:"/vpns/"; nocase; fast_pattern; http.uri.raw; pcre:"/(?:(?:%2F|\/)(?:\.|%2E){2}(?:%2F|\/))/i"; reference:url,support.citrix.com/article/CTX267679; reference:cve,2019-19781; classtype:attempted-admin; sid:2035109; rev:2; metadata:attack_target Server, created_at 2022_02_05, cve CVE_2019_19781, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt (CVE-2019-19781)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/vpns/cfg/smb.con"; nocase; fast_pattern; http.uri.raw; pcre:"/(?:(?:%2F|\/)(?:\.|%2E){2}(?:%2F|\/))/i"; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2035110; rev:2; metadata:created_at 2022_02_05, cve CVE_2019_19781, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_02_05;)

alert http $HTTP_SERVERS any -> any any (msg:"ET EXPLOIT Citrix Application Delivery Controller Arbitrary Code Execution Attempt Scanner Attempt - Server Response (CVE-2019-19781)"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Via|3a 20|NS-CACHE-"; http.response_body; content:"|5b|global|5d|"; startswith; content:"encrypt passwords"; distance:0; fast_pattern; reference:url,github.com/trustedsec/cve-2019-19781; reference:cve,2019-19781; classtype:attempted-admin; sid:2035111; rev:2; metadata:attack_target Server, created_at 2022_02_05, cve CVE_2019_19781, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Viptela vManage Directory Traversal (CVE-2020-27128)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dataservice/statistics/download/dr/filelist"; fast_pattern; http.request_body; content:"|2f 2e 2e 2f|"; reference:cve,2020-27128; classtype:web-application-attack; sid:2035136; rev:2; metadata:created_at 2022_02_08, cve CVE_2020_27128, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_02_08, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco SD-WAN vManage Software Directory Traversal (CVE-2020-26073)"; flow:established,to_server; http.request_line; content:"GET /dataservice/disasterrecovery/download/token/"; startswith; fast_pattern; pcre:"/^(%2E%2E%2F|\.\.\/)/Ri"; reference:cve,2020-26073; classtype:web-application-attack; sid:2035137; rev:2; metadata:created_at 2022_02_08, cve CVE_2020_26073, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_02_08, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Server OWA GetWacUrl Information Disclosure Attempt (CVE-2020-17143)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/owa/service.svc"; fast_pattern; http.header; content:"Action|3a 20|GetWacIframeUrlForOneDrive"; nocase; content:"|22|EndPointUrl|22 3a 22|"; nocase; reference:cve,2020-17143; classtype:web-application-attack; sid:2035138; rev:2; metadata:attack_target Server, created_at 2022_02_08, cve CVE_2020_17143, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_02_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP ICM MPI Desynchronization Scanning Activity (CVE-2022-22536) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sap/public/bc/ur/Login/assets/corbu/sap_logo.png"; fast_pattern; http.content_len; byte_test:0,>=,82642,0,string,dec; reference:cve,2022-22536; classtype:attempted-admin; sid:2035182; rev:2; metadata:attack_target Server, created_at 2022_02_11, cve CVE_2022_22536, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_02_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP ICM MPI Desynchronization Scanning Activity (CVE-2022-22536) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sap/admin/public/default.html?"; fast_pattern; http.content_len; byte_test:0,>=,82642,0,string,dec; reference:cve,2022-22536; classtype:attempted-admin; sid:2035183; rev:2; metadata:attack_target Server, created_at 2022_02_11, cve CVE_2022_22536, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_02_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Moxa MxView RCE Attempt (CVE-2021-38454)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"api/sites/site/"; fast_pattern; pcre:"/^[a-zA-Z0-9]{5,45}/R"; content:"/ping"; endswith; reference:cve,2021-38454; classtype:attempted-admin; sid:2035194; rev:2; metadata:attack_target Server, created_at 2022_02_14, cve CVE_2021_38454, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_02_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization RCE T3 (CVE-2015-4852)"; flow:established,to_server; content:"|00 00|"; startswith; content:"|01 65|"; distance:2; within:2; content:"|ac ed 00|"; distance:0; content:"weblogic.rjvm.ClassTableEntry"; fast_pattern; distance:0; reference:cve,2015-4852; reference:url,www.exploit-db.com/exploits/46628; classtype:attempted-admin; sid:2035204; rev:1; metadata:created_at 2022_02_15, cve CVE_2015_4852, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_02_15;)

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isnotset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; fast_pattern; content:"|04 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; endswith; threshold: type limit, count 1, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2030870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_02_22;)

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|0f 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!8,relative; byte_test:1,!&,0x40,6,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035259; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_02_22;)

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|2d 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00 00 00|"; within:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035263; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, performance_impact Significant, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_02_22;)

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate2 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|0f 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!5,relative; byte_test:1,!&,0x40,3,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035258; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_02_22;)

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M1"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|1a 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!5,relative; byte_test:1,!&,0x40,3,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035260; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_02_22;)

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|1a 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!8,relative; byte_test:1,!&,0x40,6,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035261; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_02_22;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extensis Portfolio Unrestricted File Upload (CVE-2022-24252)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/FileTransfer/upload?sessionId="; fast_pattern; content:"&action=customPreview"; content:"&catalogId="; http.request_body; content:"filename="; content:"\\.."; within:25; reference:url,whiteoaksecurity.com/blog/extensis-portfolio-vulnerability-disclosure/; classtype:attempted-admin; sid:2035274; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2022_24252, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_02_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TOTOLINK Realtek SDK RCE (CVE-2019-19824)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/boafrm/formSysCmd"; fast_pattern; http.request_body; content:"Run|2b|Command|26|sysCmd|3d|"; nocase; reference:cve,2019-19824; classtype:attempted-admin; sid:2035282; rev:2; metadata:attack_target Server, created_at 2022_02_23, cve CVE_2019_19824, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_02_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Suspicious SVCCTL CreateService Command via SMB - Observed Zerologon Post Compromise Activity"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; within:32; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|15 00 00 00 00 00 00 00 15 00 00 00|"; fast_pattern; distance:6; within:12; pcre:"/^(?:[A-Z]\x00){20}\x00\x00/R"; content:"|03 00 00 00|"; distance:10; within:4; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; reference:md5,59e7f22d2c290336826700f05531bd30; classtype:attempted-admin; sid:2035287; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2022_02_25, deployment Internal, confidence High, signature_severity Major, updated_at 2022_02_25;)

alert smb any any -> $HOME_NET 445 (msg:"ET EXPLOIT CreateService via SMB to Reset-ComputerMachinePassword - Observed Post Zerologon Activity"; flow:established,to_server; content:"SMB"; depth:8; content:"|09 00|"; distance:8; within:2; content:"|05 00 00|"; distance:0; content:"|0c 00|"; distance:19; within:2; content:"|00|R|00|e|00|s|00|e|00|t|00|-|00|C|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00|M|00|a|00|c|00|h|00|i|00|n|00|e|00|P|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; distance:0; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035285; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2022_02_24, deployment Internet, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_02_25;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linux/Attempted Hosts File Exfil"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"?url=file|3a 2f 2f 2f|etc|2f|hosts"; endswith; http.header_names; content:!"Referer"; classtype:attempted-admin; sid:2035315; rev:2; metadata:affected_product Linux, attack_target Server, created_at 2022_02_28, deployment Perimeter, confidence High, signature_severity Major, updated_at 2022_02_28, reviewed_at 2024_06_26;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-22947) (set)"; flow:established,to_server; flowbits:set,ET.vmware.2022.22947; http.request_line; content:"POST /actuator/gateway/routes/"; startswith; fast_pattern; http.request_body; content:"|22|filters|22 3a|"; nocase; content:"|22 23 7b|"; within:115; reference:cve,2022-22947; classtype:attempted-admin; sid:2035380; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_22947, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_03_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMware Spring Cloud Gateway Code Injection (CVE-2022-22947)"; flow:established,to_server; flowbits:isset,ET.vmware.2022.22947; http.request_line; content:"POST /actuator/gateway/refresh"; startswith; fast_pattern; http.request_body; content:"|22|filters|22 3a|"; nocase; content:"|22 23 7b|"; within:115; reference:cve,2022-22947; classtype:attempted-admin; sid:2035381; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_22947, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_03_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M1"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"InVzZXJuYW1lX2F0dHJpYnV0ZSI6"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035371; rev:2; metadata:attack_target Server, created_at 2022_03_02, cve CVE_2022_23131, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_03_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M2"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"J1c2VybmFtZV9hdHRyaWJ1dGUiO"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035372; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_03_02;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zabbix v5.4.0 - 5.4.8 SSO/SALM Auth Bypass (CVE-2022-23131) M3"; flow:established,to_server; http.uri; content:"/index_sso.php"; startswith; http.cookie; content:"zbx_session="; content:"idXNlcm5hbWVfYXR0cmlidXRlIj"; distance:0; fast_pattern; pcre:"/(?:InNhbWxfZGF0YS|JzYW1sX2RhdGEi|ic2FtbF9kYXRhI)/"; reference:url,blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference:cve,2022-23131; classtype:trojan-activity; sid:2035373; rev:2; metadata:created_at 2022_03_02, cve CVE_2022_23131, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_03_02;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (Log Poisoning) (CVE-2020-16152) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login.php5"; http.request_body; content:"|3c 3f|php|20|system|28 24 5f|POST|5b 27|"; nocase; fast_pattern; reference:cve,2020-16152; classtype:attempted-admin; sid:2035401; rev:2; metadata:attack_target Server, created_at 2022_03_07, cve CVE_2020_16152, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Extreme Networks ExtremeWireless Aerohive HiveOS and IQ Engine (LFI) (CVE-2020-16152) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/action.php5"; http.request_body; content:"|2f 2e 2e 2f 2e 2e|"; fast_pattern; content:"/tmp/messages"; reference:cve,2020-16152; classtype:attempted-admin; sid:2035402; rev:2; metadata:attack_target Server, created_at 2022_03_07, cve CVE_2020_16152, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Azure Automation Authentication Bypass"; flow:established,to_server; http.uri; content:"/oauth2/token"; http.request_body; content:"resource"; content:"management.azure.com"; within:60; fast_pattern; http.header; content:"metadata"; nocase; content:!"X-IDENTITY-HEADER"; nocase; reference:url,orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability/; classtype:attempted-admin; sid:2035403; rev:2; metadata:created_at 2022_03_07, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_03_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Oracle Access Manager RCE Attempt (CVE-2021-35587)"; flow:established,to_server; http.request_line; content:"POST /oam/server/opensso/sessionservice HTTP/1.1"; fast_pattern; http.request_body; content:"svcid"; content:"|5b|CDATA"; content:"requester|3d|"; distance:0; nocase; reference:cve,2021-35587; classtype:attempted-admin; sid:2035429; rev:2; metadata:attack_target Server, created_at 2022_03_10, cve CVE_2021_35587, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear R6260 Mini_httpd Buffer Overflow Attempt - Possible RCE (CVE-2021-34979)"; flow:established,to_server; http.header; content:"SOAPAction|3a 20|"; content:"urn:NETGEAR-ROUTER:service:"; within:30; fast_pattern; content:!"|0d 0a|"; within:131; pcre:"/^SOAPAction\x3a\x20\x22?urn\x3aNETGEAR-ROUTER\x3aservice\x3a.{128,}(?!:\d#)/Hm"; http.request_body; content:"|3c 3f|xml"; startswith; reference:url,nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-netgear-nday.html; reference:cve,2021-34979; classtype:trojan-activity; sid:2035446; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_03_14, cve CVE_2021_34979, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2022_03_14;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TP-LINK TL-WR840N RCE Inbound (CVE-2022-25064)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi?2&2"; fast_pattern; http.request_body; content:"|0d 0a|X_TP_FirewallEnabled"; content:"|0d 0a|X_TP_ExternalIPv6Address="; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2022-25064; classtype:attempted-admin; sid:2035455; rev:1; metadata:created_at 2022_03_15, cve CVE_2022_25064, confidence High, signature_severity Major, updated_at 2022_03_15;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Memory Corruption Vulnerability (CVE-2015-2444)"; flow:from_server,established; file_data; content:"|3c 66 6f 72 6d 3e 3c 73 74 79 6c 65 3e 66 6f 72 6d 7b 2d 6d 73 2d 62 65 68 61 76 69 6f 72 3a 75 72 6c 28 22 63 22 29 3b 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 66 6f 72 6d 3e|"; nocase; fast_pattern; reference:cve,2015-2444; classtype:attempted-user; sid:2021713; rev:4; metadata:created_at 2015_08_25, cve CVE_2015_2444, confidence Low, signature_severity Major, updated_at 2022_03_17;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Successful ETERNALROMANCE MS17-010 - Windows Executable Observed"; flow:to_server,established; flowbits:isset,ETPRO.ETERNALROMANCE; content:"|FF|SMB|26 00 00 00 00|"; offset:4; depth:9; content:"|4d 5a|"; distance:0; content:"This program cannot be run"; nocase; distance:0; fast_pattern; classtype:trojan-activity; sid:2024207; rev:3; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2022_03_17;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:3; metadata:created_at 2012_11_14, signature_severity Major, updated_at 2022_03_17;)

alert smb any any -> $HOME_NET any (msg:"ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray"; flow:to_server,established; content:"|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 08 ff fe 00 08|"; offset:4; depth:30; fast_pattern; content:"|00 09 00 00 00 10|"; distance:1; within:6; content:"|00 00 00 00 00 00 00 10|"; within:8; content:"|00 00 00 10|"; distance:4; within:4; pcre:"/^[a-zA-Z0-9+/]{1000,}/R"; threshold: type both, track by_src, count 3, seconds 30; classtype:trojan-activity; sid:2024217; rev:4; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2022_03_17;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Firefox PDF.js Same-Origin-Bypass CVE-2015-4495 M1"; flow:established,from_server; file_data; content:"|76 69 65 77 2d 73 6f 75 72 63 65 3a|"; nocase; content:"|61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 6f 7a 2d 70 6c 61 79 70 72 65 76 69 65 77 2d 70 64 66 6a 73|"; fast_pattern; nocase; content:"|73 61 6e 64 62 6f 78 43 6f 6e 74 65 78 74|"; nocase; content:"return "; pcre:"/\We[\s\x22\x27,+]*?v[\s\x22\x27,+]*?a[\s\x22\x27,+]*?l\W/"; reference:cve,2015-4495; classtype:attempted-user; sid:2021601; rev:3; metadata:created_at 2015_08_10, cve CVE_2015_4495, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_17;)

alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible GoldenPac Priv Esc in-use"; flow:established,to_server; content:"|a0 07 03 05 00 50 80 00 00|"; content:"|a8 05 30 03 02 01 17|"; endswith; threshold: type limit, track by_src, seconds 60, count 1; reference:url,code.google.com/p/impacket/source/browse/trunk/examples/goldenPac.py; reference:cve,CVE-2014-6324; classtype:attempted-admin; sid:2019922; rev:4; metadata:created_at 2014_12_12, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_24, reviewed_at 2024_03_26;)

alert tcp any any -> $HOME_NET 445 (msg:"ET EXPLOIT Samba Arbitrary Module Loading Vulnerability M2 (NT Create AndX .so) (CVE-2017-7494)"; flow:to_server,established; content:"SMB"; offset:5; depth:3; content:"|05 00|"; distance:8; within:2; content:"|00 2e 00 73 00 6f 00|"; fast_pattern; endswith; reference:cve,2017-7494; classtype:attempted-admin; sid:2024384; rev:3; metadata:affected_product Linux, attack_target Server, created_at 2017_06_16, cve CVE_2017_7494, deployment Perimeter, deployment Internal, performance_impact Moderate, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Observed Orange LiveBox Router Information Leakage Attempt (CVE-2018-20377)"; flow:established,to_server; http.request_line; content:"GET|20|"; startswith; content:"/get_getnetworkconf.cgi|20|HTTP/1.1"; fast_pattern; endswith; http.header_names; content:!"Referer"; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials; reference:cve,2018-20377; classtype:trojan-activity; sid:2029091; rev:2; metadata:affected_product Router, attack_target Client_Endpoint, created_at 2019_12_03, cve CVE_2018_20377, deployment Perimeter, signature_severity Major, updated_at 2022_03_24, reviewed_at 2024_02_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)"; flow:established,to_server; urilen:37; http.method; content:"POST"; http.uri; content:"/ReportServer/pages/ReportViewer.aspx"; http.request_body; content:"NavigationCorrector|24|PageState|3d|NeedsCorrection|26|NavigationCorrector|24|ViewState|3d|"; startswith; fast_pattern; content:"|26 5f 5f|VIEWSTATE|3d|"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/euphrat1ca/CVE-2020-0618; classtype:web-application-attack; sid:2029476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_02_18, cve CVE_2020_0618, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_24, reviewed_at 2024_02_29;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Online Scheduling System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Online%20Scheduling%20System/login.php"; fast_pattern; http.request_body; content:"username="; depth:9; nocase; content:"&password="; nocase; distance:0; content:"&lgn=Login"; nocase; endswith; reference:url,www.exploit-db.com/exploits/48409; classtype:attempted-admin; sid:2030094; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_05_04, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert dns $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT Possible DNS BIND TSIG Denial of Service Attempt (CVE-2020-8617)"; content:"|00|"; distance:0; byte_extract:1,1,rec_name,relative; content:"|00 00 fa 00 ff|"; distance:rec_name; within:5; fast_pattern; content:"|00 10 00 00|"; endswith; reference:cve,2020-8617; classtype:denial-of-service; sid:2030221; rev:2; metadata:attack_target DNS_Server, created_at 2020_05_26, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2022_03_24;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/dnscfg.cgi?dnsPrimary="; fast_pattern; content:"&dnsSecondary="; distance:0; content:"&dnsDynamic=0&dnsRefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027906; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24, reviewed_at 2024_04_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TOTOLINK Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/boafrm/formbasetcpipsetup?dnsmode=dnsmanual&dns1="; fast_pattern; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&dnsrefresh=1"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027910; rev:4; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24, reviewed_at 2024_04_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DSLink 260E Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/action?dns_status=1&dns_poll_timeout="; fast_pattern; content:"&id="; distance:0; content:"&dns_serv_ip_1="; distance:0; content:"&dns_serv_ip_2="; distance:0; content:"&dns_serv_ip_3="; distance:0; content:"&dns_serv_ip_4="; distance:0; content:"&priority=1&cmdadd=add"; endswith; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027908; rev:8; metadata:attack_target Client_Endpoint, created_at 2019_08_23, deployment Perimeter, performance_impact Moderate, signature_severity Major, updated_at 2022_03_24, reviewed_at 2024_04_22;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT FatPipe Unrestricted File Upload"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fpui/"; nocase; fast_pattern; content:"|2e|jsp"; within:30; endswith; reference:url,ic3.gov/Media/News/2021/211117-2.pdf; classtype:attempted-admin; sid:2034531; rev:3; metadata:created_at 2021_11_22, confidence Medium, signature_severity Major, updated_at 2022_03_24;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeBB Path Traversal (CVE-2021-43788)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"nodebb|2e|org|2f 3f 5b 5b 2e 2e 2f|"; nocase; fast_pattern; content:"|3a|"; content:"|5d 5d|"; within:50; endswith; reference:url,blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot; reference:cve,2021-43788; classtype:attempted-admin; sid:2034590; rev:2; metadata:created_at 2021_12_06, cve CVE_2021_43788, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_03_24, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - Malicious NetrServerPasswordSet2 (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; content:"|1e 00|"; offset:22; depth:2; content:"|24 00 00 00 06|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035262; rev:3; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, performance_impact Significant, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_03_24;)

alert smb $HOME_NET any -> any any (msg:"ET EXPLOIT Possible ETERNALCHAMPION MS17-010 Sync Response"; flow:from_server,established; flowbits:isset,ET.ETERNALCHAMPIONsync; content:"|ff|SMB|25 00 00 00 00 98 03 c0 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:4; depth:24; fast_pattern; content:"|7c 00|"; distance:32; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:100; within:20; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; endswith; classtype:trojan-activity; sid:2024213; rev:5; metadata:attack_target SMB_Server, created_at 2017_04_17, deployment Internal, confidence Medium, signature_severity Critical, updated_at 2022_03_24;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M1"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; nocase; http.request_body; content:"|3c|methodName|3e|"; content:"login|3c 2f|methodName|3e|"; within:50; fast_pattern; nocase; content:"|3c|member|3e 3c|value|3e 3c|"; distance:0; nocase; content:!"|3e|"; within:400; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035633; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_29;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WatchGuard CVE-2022-26318 RCE Attempt M2"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.request_body; content:"|3c|methodName|3e|"; nocase; content:"login|3c 2f|methodName|3e|"; within:50; nocase; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035634; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_29;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible WatchGuard CVE-2022-26318 RCE Attempt M3"; flow:established,to_server; http.request_line; content:"POST /agent/login"; startswith; fast_pattern; http.content_len; byte_test:0,>,450,0,string,dec; http.header; content:"Content-Encoding|3a 20|gzip"; http.request_body; content:"|1f 8b|"; startswith; reference:url,attackerkb.com/topics/t8Nrnu99ZE/cve-2022-26318; reference:url,www.greynoise.io/blog/watchguard-cve-2022-26318-rce-detection-iocs-and-prevention-for-defenders; reference:cve,2022-26318; classtype:attempted-admin; sid:2035635; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_03_29, cve CVE_2022_26318, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_29;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; fast_pattern; content:"Email=autodiscover/"; nocase; flowbits:set,ET.cve.2021.34473; reference:cve,2021-31207; classtype:attempted-admin; sid:2033681; rev:4; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_08_09, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M1 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"Email=autodiscover/"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; reference:cve,2021-31207; classtype:attempted-admin; sid:2033701; rev:3; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_08_10, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange SUID Disclosure via SSRF Inbound M2 (CVE-2021-31207)"; flow:established,to_server; http.uri; content:"/autodiscover"; nocase; content:"/mapi/emsmdb"; nocase; distance:0; fast_pattern; http.cookie; content:"Email=autodiscover/"; nocase; reference:cve,2021-31207; classtype:attempted-admin; sid:2035648; rev:2; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_31207, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M2 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; content:"Email="; distance:0; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2033711; rev:2; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2021_08_12, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange RCE Inbound M3 (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/autodiscover.json?"; content:"/PowerShell/"; nocase; distance:0; content:"X-Rps-CAT="; distance:0; fast_pattern; http.cookie; content:"Email="; content:"autodiscover/"; distance:0; within:20; reference:cve,2021-34473; classtype:attempted-admin; sid:2035649; rev:2; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Exchange Mailbox Enumeration Inbound (CVE-2021-34473)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ews/exchange.asmx"; nocase; fast_pattern; http.request_body; content:"<s"; content:"<m:ResolveNames ReturnFullContactData=|22|true|22| SearchScope=|22|ActiveDirectory|22|>"; distance:0; content:"</m:ResolveNames>"; distance:0; reference:cve,2021-34473; classtype:attempted-admin; sid:2035650; rev:2; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2022_03_29, cve CVE_2021_34473, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M1 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype|27 3a 20 27|"; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035629; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Unauthenticated Command Injection Inbound M2 (CVE-2022-24989)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/module/api.php?mobile/createRaid"; fast_pattern; http.request_body; content:"raidtype="; nocase; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-24989; classtype:attempted-admin; sid:2035630; rev:2; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24989, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TerraMaster TOS Information Leak Inbound (CVE-2022-24990)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/module/api.php?mobile/webNasIPS"; fast_pattern; reference:cve,2022-24990; classtype:attempted-recon; sid:2035631; rev:1; metadata:attack_target Server, created_at 2022_03_29, cve CVE_2022_24990, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_03_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Spring Cloud Connector RCE Inbound (CVE-2022-22963)"; flow:to_server,established; http.header; content:"spring.cloud.function.routing-expression|3a|"; fast_pattern; reference:cve,2022-22963; classtype:attempted-admin; sid:2035670; rev:1; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22963, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_03_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NetGear R6700v3 upnpd Buffer Overflow Inbound (CVE-2022-27643)"; flow:to_server,established; http.method; content:"POST"; http.header; content:"SOAPAction|3a|"; nocase; content:"urn:NETGEARROUTER:service:ParentalControl:1#Authenticate"; fast_pattern; nocase; pcre:"/^SOAPAction\x3a\s?urn\x3aNETGEARROUTER\x3aservice\x3aParentalControl\x3a1#Authenticate/Hmi"; http.request_body; content:"<NewMACAddress>"; nocase; pcre:"/^[^<]{30,}<\/NewMACAddress>/Ri"; reference:url,blog.relyze.com/2022/03/cve-2022-27643-netgear-r6700v3-upnpd.html; reference:cve,2022-27643; classtype:attempted-admin; sid:2035717; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_03, cve CVE_2022_27643, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_04_03;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M1"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; distance:0; content:".popen|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035718; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Redis RCE Attempt - Dynamic Importing of liblua (CVE-2022-0543)"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035720; rev:2; metadata:affected_product Redis, created_at 2022_04_04, cve CVE_2022_0543, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_04_04;)

alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2"; flow:established,to_server; content:"package|2e|loadlib|28|"; fast_pattern; content:"liblua"; within:500; content:".execute|28|"; distance:0; reference:url,blogs.juniper.net/en-us/security/muhstik-gang-targets-redis-servers; reference:url,www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce; reference:cve,2022-0543; classtype:attempted-admin; sid:2035719; rev:2; metadata:affected_product Redis, attack_target Server, created_at 2022_04_04, cve CVE_2022_0543, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"&user%5Bpassword%5D=123qweQWE%21%40%23"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035750; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2022_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Gitlab Login Attempt with hard-coded password (CVE-2022-1162)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/sign_in"; http.request_body; content:"|26|user|5b|password|5d 3d|123qweQWE|21 40 23|"; fast_pattern; pcre:"/^0+(?:&|$)/R"; reference:url,about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/#static-passwords-inadvertently-set-during-omniauth-based-registration; reference:cve,2022-1162; classtype:attempted-user; sid:2035751; rev:1; metadata:attack_target Server, created_at 2022_04_05, cve CVE_2022_1162, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2022_04_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26210)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi-bin/cstecgi.cgi"; http.request_body; content:"setUpgradeFW"; fast_pattern; content:"FileName|3a 20 3a|"; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26210; classtype:attempted-admin; sid:2035744; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26210, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_04_05, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-26186)"; flow:to_server,established; http.uri; content:"/cgi-bin/cstecgi.cgi?exportOvpn"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-26186; classtype:attempted-admin; sid:2035745; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_26186, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_04_05, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Totolink - Command Injection Attempt Inbound (CVE-2022-25075)"; flow:to_server,established; http.uri; content:"/cgi-bin/downloadFlile.cgi"; fast_pattern; content:"="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2022-25075; classtype:attempted-admin; sid:2035746; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2022_25075, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_04_05, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link - RCE Attempt Inbound (CVE-2021-45382)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ddns_check.ccp"; fast_pattern; http.request_body; content:"&ddnsHostName="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7c|\x24)/R"; reference:cve,2021-45382; classtype:attempted-admin; sid:2035747; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_05, cve CVE_2021_45382, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_04_05;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 1 Pattern Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.pattern="; fast_pattern; classtype:attempted-admin; sid:2035674; rev:2; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22965, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 2 Suffix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.suffix="; fast_pattern; classtype:attempted-admin; sid:2035675; rev:2; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22965, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 3 Directory Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.directory="; fast_pattern; classtype:attempted-admin; sid:2035676; rev:2; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22965, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 4 Prefix Set Inbound (CVE-2022-22965)"; flow:to_server,established; http.uri; content:"pipeline.first.prefix="; fast_pattern; classtype:attempted-admin; sid:2035677; rev:2; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22965, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SpringCore RCE/Spring4Shell Inbound (CVE-2022-22965)"; flow:to_server,established; http.request_body; content:"pipeline.first.pattern="; fast_pattern; content:"pipeline.first.suffix="; content:"pipeline.first.directory="; content:"pipeline.first.prefix="; classtype:attempted-admin; sid:2035678; rev:2; metadata:attack_target Server, created_at 2022_03_31, cve CVE_2022_22965, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22"; nocase; fast_pattern; content:"%6e%65%77%28%29"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035876; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_04_08;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; http.request_body; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035875; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_04_08;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)"; flow:established,to_server; http.uri; content:"/catalog-portal/"; content:"|24 7b 22|freemarker|2e|template|2e|utility|2e|Execute|22|"; distance:0; nocase; fast_pattern; content:"new|28 29 28|"; nocase; within:200; reference:url,www.vmware.com/security/advisories/VMSA-2022-0011.html; reference:cve,2022-22954; classtype:attempted-admin; sid:2035874; rev:2; metadata:affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_04_08;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via TCP (CVE-2022-0778)"; flow:established,to_server; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035887; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2022_04_11;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible OpenSSL Infinite Loop Inducing Cert Inbound via UDP (CVE-2022-0778)"; content:"|30 82|"; content:"|30 0a 06 08 2a 86 48 ce 3d 04 03|"; distance:0; content:"|2a 86 48 ce 3d 01 01 02 02 02 b9|"; distance:0; fast_pattern; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 17|"; within:36; content:"|20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:36; content:"|04 03|"; distance:23; within:2; content:"|00 08|"; distance:1; within:2; reference:url,www.rtcsec.com/article/exploiting-cve-2022-0778-in-openssl-vs-webrtc-platforms/; reference:url,github.com/drago-96/CVE-2022-0778/; reference:cve,2022-0778; classtype:denial-of-service; sid:2035888; rev:2; metadata:affected_product OpenSSL, attack_target Server, created_at 2022_04_11, cve CVE_2022_0778, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2022_04_11;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible NGINX Reference LDAP Query Injection Attack"; flow:established,to_server; http.header; content:"|0d 0a|X-Ldap-Template|3a 20|"; fast_pattern; nocase; content:"|28 7c|"; distance:0; within:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/nginxinc/nginx-ldap-auth/issues/93; classtype:attempted-admin; sid:2035897; rev:2; metadata:attack_target Web_Server, created_at 2022_04_12, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_04_12, reviewed_at 2023_09_01;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Grafana 8.x Path Traversal (CVE-2021-43798)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/public/plugins/"; fast_pattern; content:"|2f 2e 2e 2f|"; distance:0; within:40; reference:url,github.com/grafana/grafana/security/advisories/GHSA-8pjx-jj86-j47p; classtype:attempted-admin; sid:2034629; rev:2; metadata:created_at 2021_12_07, cve CVE_2021_43798, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_04_14, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M1 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; content:"%3B%"; distance:0; within:5; nocase; reference:cve,2020-17456; classtype:attempted-admin; sid:2035950; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2020_17456, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_04_14;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130/SLR-120S RCE Inbound M2 (CVE-2020-17456)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/system_log.cgi"; http.request_body; content:"&pingIpAddr="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2020-17456; classtype:attempted-admin; sid:2035951; rev:1; metadata:created_at 2022_04_14, cve CVE_2020_17456, confidence High, signature_severity Major, updated_at 2022_04_14;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DWR Command Injection Inbound (CVE-2018-10823)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/chkisg.htm"; content:"%3FSip%"; fast_pattern; nocase; distance:0; content:"%7C"; nocase; distance:0; reference:cve,2018-10823; classtype:attempted-admin; sid:2035953; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2018_10823, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_04_14, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT iRZ Mobile Router RCE Inbound M1 (CVE-2022-27226)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/api/crontab"; fast_pattern; http.request_body; content:"|22|tasks|22 3a|"; content:"|22|command|22 3a|"; reference:cve,2022-27226; classtype:attempted-admin; sid:2035954; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_04_14, cve CVE_2022_27226, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2022_04_14;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M1"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46ezEyMjEzQkQxLTY5QzctNDg2Mi04NDNELTI2MDUwMEQxREE0MH0|3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036254; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_04_19;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M1"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|Basic|20|YWRtaW46"; fast_pattern; content:!"|0d 0a|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036255; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_04_19;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Stack Overflow in Base64 Authorization Mechanism M2"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"auInfo|3d|YWRtaW46"; fast_pattern; content:!"|3b|"; within:500; http.request_body; content:"|3c 3f|xml|20|"; startswith; content:"clientType|3d 22|WEB|22|"; distance:0; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036256; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2022_04_19;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC WebUI RCE ADD Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editBlackAndWhiteList"; bsize:22; http.request_body; content:"clientType|3d 22|WEB|22 3e|"; content:"|3c|addressType|3e|ip|3c 2f|addressType|3e 3c|ip|3e|"; distance:0; fast_pattern; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036253; rev:2; metadata:created_at 2022_04_19, confidence High, signature_severity Major, updated_at 2022_04_19;)

alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc Login Attempt"; flow:established,to_server; stream_size:server,<,5; dsize:38; content:"{D79E94C5-70F0-46BD-965B-E17497CCB598}"; startswith; flowbits:set,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036272; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_04_19;)

alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded Credential ConfigSyncProc System Details Request"; flow:established,to_server; content:"GET /"; startswith; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|1|0d 0a 0d 0a|"; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036273; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_04_19;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC Hardcoded WebUI Login Attempt M2"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|cm9vdDp7MTIyMTNCRDEtNjlDNy00ODYyLTg0M0QtMjYwNTAwRDFEQTQwfQ|3d 3d|"; fast_pattern; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036274; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_04_19;)

alert tcp any any -> $HOME_NET 4567 (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC ConfigSyncProc RCE Attempt"; flow:established,to_server; content:"GET /saveSystemConfig"; depth:21; content:"|0d 0a|{D79E94C5-70F0-46BD-965B-E17497CCB598}|20|2|0d 0a 0d 0a|DAAAAAEAAAADAAAAIQACAAEABA"; distance:0; fast_pattern; flowbits:isset,ET.tvt_stage1; reference:url,raw.githubusercontent.com/mcw0/PoC/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:trojan-activity; sid:2036275; rev:1; metadata:affected_product DVR, attack_target Networking_Equipment, created_at 2022_04_19, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_04_19;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible VMware Workspace ONE Access RCE via Server-Side Template Injection Inbound (CVE-2022-22954)"; flow:to_server,established; http.uri; content:"/catalog-portal/ui/oauth/verify?"; http.uri.raw; content:"&deviceUdid=%24%7b"; fast_pattern; nocase; reference:cve,2022-22954; classtype:attempted-admin; sid:2036416; rev:1; metadata:attack_target Server, created_at 2022_04_29, cve CVE_2022_22954, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_04_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> $HOME_NET 12345 (msg:"ET EXPLOIT [PwnedPiper] Exploitation Attempt - Large Malformed Translogic Packet (CVE-2021-37164)"; dsize:>369; content:"TLPU"; startswith; fast_pattern; reference:cve,2021-37164; reference:url,www.armis.com/pwnedPiper; classtype:attempted-admin; sid:2033662; rev:2; metadata:attack_target Server, created_at 2021_08_03, cve CVE_2021_37164, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Guangzhou 1GE ONU OS Command Execution (CVE-2020-8958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"boaform/admin/formPing"; endswith; fast_pattern; http.request_body; content:"target_addr=%3B"; nocase; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,www.karansaini.com/os-command-injection-v-sol/; reference:cve,2020-8958; classtype:attempted-admin; sid:2034488; rev:3; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_8958, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Tenda OS Command Injection (CVE-2020-10987) (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"goform/setUsbUnload"; endswith; nocase; fast_pattern; http.request_body; content:"deviceName="; nocase; reference:url,blog.securityevaluators.com/tenda-ac1900-vulnerabilities-discovered-and-exploited-e8e26aa0bc68; reference:cve,2020-10987; classtype:attempted-admin; sid:2034490; rev:2; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Kaseya VSA ManagedITSync SQL Injection (CVE-2017-18362)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"KaseyaCwWebService/ManagedIT.asmx"; nocase; fast_pattern; http.request_body; content:"|27|"; pcre:"/^(?:CREATE|SELECT|INSERT|UPDATE|EXEC)/Ri"; reference:url,github.com/kbni/owlky/blob/master/owlky.py; reference:cve,2017-18362; classtype:attempted-admin; sid:2034492; rev:2; metadata:created_at 2021_11_17, cve CVE_2017_18362, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034758; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_03, reviewed_at 2024_05_07;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034759; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_03;)

alert tcp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (tcp rmi) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034760; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_03;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldap) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034761; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_03;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp rmi) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|rmi|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034762; rev:3; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_03;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http dns) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|dns|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034765; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_03, reviewed_at 2024_05_07;)

alert udp $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (udp ldaps) (Outbound) (CVE-2021-44228)"; content:"|24 7b|jndi|3a|ldaps|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034766; rev:2; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_03;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M1"; flow:established,to_server; http.request_line; content:"POST|20|/api/content/|20|"; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"filename=|22 2e 2e 2f|"; reference:url,blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/; reference:url,www.dotcms.com/security/SI-62; reference:cve,2022-26352; classtype:attempted-admin; sid:2036457; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_05_04, cve CVE_2022_26352, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_05_04;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT dotCMS Arbitrary File Upload Attempt (CVE-2022-26352) M2"; flow:established,to_server; http.request_line; content:"PUT|20|/api/content/|20|"; startswith; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"filename=|22 2e 2e 2f|"; reference:url,blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/; reference:url,www.dotcms.com/security/SI-62; reference:cve,2022-26352; classtype:attempted-admin; sid:2036458; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_05_04, cve CVE_2022_26352, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_05_04;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT [Rapid7] Zyxel ZTP setWanPortSt mtu Parameter Exploit Attempt (CVE-2022-30525)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ztp/cgi-bin/handler"; fast_pattern; bsize:20; http.request_body; content:"setWanPortSt"; content:"mtu"; pcre:"/^["']\s*:\s*["']\s*[^0-9]+/Ri"; reference:cve,2022-30525; reference:url,www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-firewall-unauthenticated-remote-command-injection/; classtype:misc-attack; sid:2036596; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_05_16, cve CVE_2022_30525, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_09_30, reviewed_at 2024_09_12;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Inbound (CVE-2018-20062)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]"; fast_pattern; nocase; reference:url,www.exploit-db.com/exploits/46150; reference:cve,2018-20062; reference:cve,2019-9082; classtype:web-application-attack; sid:2036598; rev:1; metadata:attack_target Web_Server, created_at 2022_05_17, cve CVE_2018_20062, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_05_17;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Attempted ThinkPHP < 5.2.x RCE Outbound (CVE-2018-20062)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.request_body; content:"_method=__construct&filter[]=assert&method=get&server[REQUEST_METHOD]"; fast_pattern; nocase; reference:url,www.exploit-db.com/exploits/46150; reference:cve,2018-20062; reference:cve,2019-9082; classtype:web-application-attack; sid:2036599; rev:1; metadata:attack_target Web_Server, created_at 2022_05_17, cve CVE_2018_20062, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_05_17;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarView Compact Command Injection Inbound (CVE-2022-29303)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/conf_mail.php"; fast_pattern; http.request_body; content:"mail_address="; pcre:"/^\s?(?:[\x3b\x0a\x26\x60\x7c\x24]|%(3b|0a|26|60|7c|24))/Ri"; reference:cve,2022-29303; classtype:attempted-admin; sid:2036649; rev:1; metadata:attack_target Server, created_at 2022_05_23, cve CVE_2022_29303, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Telesquare SDT-CW3B1 1.1.0 - OS Command Injection (CVE-2021-46422)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/admin.cgi?Command=sysCommand&Cmd="; fast_pattern; startswith; http.header_names; content:!"Referer"; reference:cve,2021-46422; reference:url,twitter.com/momika233/status/1528742287072980992; classtype:attempted-admin; sid:2036663; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_05_23, cve CVE_2021_46422, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2022_05_23, reviewed_at 2024_09_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Default Apache CouchDB Erlang Cookie Observed (CVE-2022-24706)"; flow:established,to_server; content:"|00 15|r|01 02 03 04|"; startswith; content:"|8b f4 e6 ad dd 72 a9 c4 c4 71 47 08 d2 94 15 28|"; fast_pattern; reference:cve,2022-24706; classtype:attempted-admin; sid:2036650; rev:1; metadata:attack_target Server, created_at 2022_05_23, cve CVE_2022_24706, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)"; flow:from_server,established; file.data; bsize:>4095; content:"location.href"; nocase; pcre:"/^\s*=\s*[\x22\x27]\s*ms-msdt\x3a/Ri"; content:"ms-msdt|3a|"; fast_pattern; nocase; reference:cve,2022-30190; classtype:attempted-user; sid:2036726; rev:2; metadata:attack_target Server, created_at 2022_05_31, cve CVE_2022_30190, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_05_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Local File Inclusion with Shell Execution via proc/self/environ"; flow:established,to_server; http.uri; content:"?"; content:"="; distance:0; content:"/proc/self/environ"; nocase; fast_pattern; distance:0; http.uri.raw; pcre:"/(?:\x2e|%2e)(?:\x2e|%2e)(?:\x2f|%2f)/i"; reference:url,www.exploit-db.com/papers/12886; classtype:web-application-attack; sid:2036730; rev:1; metadata:affected_product Linux, attack_target Server, created_at 2022_05_31, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, updated_at 2022_05_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (GET) CVE-2018-15957"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/CFIDE/wizards/common/utils.cfc?"; startswith; fast_pattern; content:"method=verifyldapserver"; content:"vserver="; content:"vport="; content:"vstart="; content:"vusername="; content:"vpassword="; reference:md5,090605df233b6dba07db48639c7766e7; reference:url,url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50781; reference:url,github.com/berez23/canvas/blob/cb306a9d8b1d8a743049a29164e6d324f8dabbfa/exploits/web/coldfusion_rce/coldfusion_rce.py; reference:cve,2018-15957; classtype:attempted-admin; sid:2036731; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2022_05_31, cve CVE_2018_15957, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_05_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Adobe ColdFusion 11 - LDAP Java Object Deserialization RCE (POST) CVE-2018-15957"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/CFIDE/wizards/common/utils.cfc"; startswith; fast_pattern; http.request_body; content:"method=verifyldapserver"; content:"vserver="; content:"vport="; content:"vstart="; content:"vusername="; content:"vpassword="; reference:md5,090605df233b6dba07db48639c7766e7; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50781; reference:url,github.com/berez23/canvas/blob/cb306a9d8b1d8a743049a29164e6d324f8dabbfa/exploits/web/coldfusion_rce/coldfusion_rce.py; reference:cve,2018-15957; classtype:attempted-admin; sid:2036732; rev:1; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2022_05_31, cve CVE_2018_15957, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_05_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Scriptcase 9.7 Arbitrary File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/scriptcase/devel/lib/third/jquery_plugin/jQuery-File-Upload/server/php/"; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|files|5b 5d 22 3b 20|"; reference:url,www.exploit-db.com/exploits/50872; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; classtype:attempted-admin; sid:2036736; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2022_06_01, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_06_01;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Zyxel NWA-1100-NH Command Injection Attempt (CVE-2021-4039)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login/login.html"; bsize:17; fast_pattern; http.request_body; content:"myname="; content:"mypasswd="; content:"Submit=Login"; pcre:"/myname=[^&]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/i"; reference:url,www.zyxel.com/support/OS-command-injection-vulnerability-of-NWA1100-NH-access-point.shtml; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50870; reference:cve,2021-4039; classtype:attempted-admin; sid:2036737; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_06_01, cve CVE_2021_4039, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_06_01, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Kramer VIAware Remote Code Execution (CVE-2021-35064 CVE-2021-36356)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ajaxPages/writeBrowseFilePathAjax.php"; bsize:38; fast_pattern; http.request_body; content:"radioBtnVal="; content:"associateFileName="; reference:cve,2021-36356; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,packetstormsecurity.com/files/166623/Kramer-VIAware-Remote-Code-Execution.html; reference:url,write-up.github.io/kramerav/; reference:cve,2021-35064; classtype:attempted-admin; sid:2036738; rev:1; metadata:attack_target Server, created_at 2022_06_01, cve CVE_2021_35064_CVE_2021_36356, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_06_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT Bonitasoft Successful Default User Login Attempt (Possible Staging for CVE-2022-25237)"; flow:established,to_client; flowbits:isset,ET.BonitaDefaultCreds; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; fast_pattern; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:successful-admin; sid:2036817; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2022_06_03;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass M2 (CVE-2022-25237)"; flow:established,to_server; http.uri.raw; content:"/i18ntranslation/../"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036819; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2022_06_03;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M2 (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bonita/API/pageUpload"; startswith; content:"action=add"; http.uri.raw; content:"/i18ntranslation/../"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036820; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2022_06_03;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific (CVE-2012-0507)"; flow:established,from_server; file_data; content:"|3c|applet archive=|22|"; distance:0; content:".jar|22|"; within:14; content:"code=|22|msf.x.Exploit.class|22|"; distance:0; fast_pattern; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:11; metadata:affected_product Any, attack_target Client_and_Server, created_at 2012_04_04, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, tag CISA_KEV, updated_at 2022_06_10;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT EIP in URI M1 (CVE-2012-4792)"; flow:established,to_server; http.uri.raw; content:"/%E0%B4%8C%E1%88%92"; fast_pattern; http.header; content:"MSIE 8.0|3b|"; reference:cve,2012-4792; reference:url,github.com/rapid7/metasploit-framework/commit/6cb9106218bde56fc5e8d72c66fbba9f11c24449; reference:url,eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/; classtype:attempted-user; sid:2016137; rev:5; metadata:created_at 2012_12_31, signature_severity Major, tag CISA_KEV, updated_at 2022_06_13;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Landing Page (CVE-2013-0422)"; flow:established,from_server; file_data; content:"<title>Loading, Please Wait...</title>"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{7}\.class/"; pcre:"/[^a-zA-Z0-9_\-\.][a-zA-Z]{8}\.jar/"; classtype:attempted-user; sid:2016227; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_01_17, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_06_14;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Autodiscover Servlet XXE (CVE-2019-9670)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Autodiscover/Autodiscover.xml"; http.request_body; content:"<!ENTITY|20|"; content:"|20|SYSTEM|20 22|"; fast_pattern; pcre:"/^\s?(?:file|https?)\x3a/Ri"; reference:cve,2019-9670; classtype:attempted-admin; sid:2037040; rev:1; metadata:attack_target Server, created_at 2022_06_20, cve CVE_2019_9670, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_06_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Tommcat/JBoss RCE Inbound (CVE-2013-4810)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/"; content:"InvokerServlet/"; fast_pattern; http.request_body; content:"|ac ed 00|"; depth:5; reference:cve,2013-4810; classtype:attempted-admin; sid:2037041; rev:1; metadata:attack_target Server, created_at 2022_06_20, cve CVE_2013_4810, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_06_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Inbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|28 27 24 7b 24 7b|env|3a|"; depth:30; fast_pattern; content:"|3a 2d|j|7d|ndi|24 7b|env|3a|"; distance:0; content:"|2f|TomcatBypass|2f|Command|2f|Base64|2f|"; distance:0; reference:url,isc.sans.edu/diary/rss/28246; reference:cve,2021-44228; classtype:attempted-admin; sid:2037046; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2022_06_21, cve CVE_2021_44228, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_06_21;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - HTTP URI Obfuscation (CVE-2021-44228) (Outbound)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|28 27 24 7b 24 7b|env|3a|"; depth:25; fast_pattern; content:"|3a 2d|j|7d|ndi|24 7b|env|3a|"; distance:0; content:"|2f|TomcatBypass|2f|Command|2f|Base64|2f|"; distance:0; reference:url,isc.sans.edu/diary/rss/28246; reference:cve,2021-44228; classtype:attempted-admin; sid:2037047; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2022_06_21, cve CVE_2021_44228, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_06_21;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Attempted Mitel MiVoice Connect Data Validation RCE Inbound (CVE-2022-29499)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/scripts/vtest.php?get_url=http://127.0.0.1/ucbsync.php?cmd=syncfile:db_files/"; http.header_names; content:!"Referer"; reference:url,www.crowdstrike.com/blog/novel-exploit-detected-in-mitel-voip-appliance/; reference:cve,2022-29499; classtype:attempted-admin; sid:2037121; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_06_24, cve CVE_2022_29499, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_06_24, reviewed_at 2024_09_17;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ManageEngine ADAudit Plus Directory Traversal Leading to Deserialization"; flow:established,to_server; http.uri; content:"/cewolf/"; fast_pattern; content:"?img="; distance:0; pcre:"/^(?:\/?\.\.?\/){2}/R"; content:"|2e 2f|"; reference:url,www.horizon3.ai/red-team-blog-cve-2022-28219/; classtype:attempted-admin; sid:2037216; rev:1; metadata:created_at 2022_06_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_06_30, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ManageEngine ADAudit Plus XXE (CVE-2022-28219)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/agent/tabs/agentData"; endswith; fast_pattern; http.request_body; content:"|22|Task|20|Content|22|"; content:"<?"; distance:0; content:"<!ENTITY|20|"; distance:0; reference:url,www.horizon3.ai/red-team-blog-cve-2022-28219/; reference:cve,2022-28219; classtype:attempted-admin; sid:2037217; rev:1; metadata:attack_target Server, created_at 2022_06_30, cve CVE_2022_28219, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_06_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1"; flow:established; file_data; content:"bdd1f04b-858b-11d1-b16a-00c0f0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017409; rev:4; metadata:created_at 2013_09_03, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2"; flow:established; file_data; content:"996BF5E0-8044-4650-ADEB-0B013914E99C"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017410; rev:4; metadata:created_at 2013_09_03, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3"; flow:established; file_data; content:"C74190B6-8589-11d1-B16A-00C0F0283628"; nocase; content:"0M8R4KGxGu"; reference:url,www.antiy.net/wp-content/uploads/The-Latest-APT-Attack-by-Exploiting-CVE2012-0158-Vulnerability.pdf; reference:url,contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html; classtype:trojan-activity; sid:2017411; rev:4; metadata:created_at 2013_09_03, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Metasploit Java CVE-2013-2465 Class Name Sub Algo"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:".classPK"; content:"$"; distance:-21; within:1; content:".classPK"; distance:0; content:"$"; distance:-21; within:1; pcre:"/\b(?P<xps>[a-zA-Z]{7})\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK.+?\b(?P=xps)\$[a-zA-Z]{12}\.classPK/s"; reference:cve,2013-2465; reference:url,seclists.org/fulldisclosure/2013/Aug/134; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_storeimagearray.rb; classtype:attempted-user; sid:2017568; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_10_08, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, confidence Medium, signature_severity Critical, tag Metasploit, tag CISA_KEV, updated_at 2022_07_01;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Exploit Specific Function Naming"; flow:established,to_client; file_data; content:"function putPayload("; nocase; fast_pattern; classtype:attempted-user; sid:2017510; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2013_09_24, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2022_07_04;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Internet Explorer Use-After-Free Inbound (CVE-2012-4792)"; flow:established,from_server; file_data; content:"urn|3a|schemas-microsoft-com|3a|time"; nocase; content:"#default#time2"; content:"<t|3a|ANIMATECOLOR"; nocase; fast_pattern; content:"CollectGarbage"; nocase; content:"try"; distance:0; nocase; content:".values"; distance:0; nocase; pcre:"/^[\r\n\s\+]*?=.+?\}[\r\n\s]*?catch/Rsi"; reference:cve,2012-4792; reference:url,blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/; classtype:attempted-user; sid:2016138; rev:7; metadata:created_at 2013_01_03, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_07_12;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"symbol"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]symbol[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:7; metadata:created_at 2013_01_09, confidence Medium, signature_severity Major, updated_at 2022_07_14;)

#alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type YAML"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"yaml"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]yaml[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-attack; sid:2016175; rev:7; metadata:created_at 2013_01_09, confidence Medium, signature_severity Major, updated_at 2022_07_14;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Java CVE-2013-1488 java.sql.Drivers Service Object in JAR"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"META-INF/services/java.sql.Drivers"; fast_pattern; content:"META-INF/services/java.lang.Object"; reference:cve,2013-1488; reference:url,www.contextis.com/research/blog/java-pwn2own/; reference:url,www.rapid7.com/db/modules/exploit/multi/browser/java_jre17_driver_manager; classtype:attempted-user; sid:2017557; rev:6; metadata:created_at 2013_10_04, confidence Medium, signature_severity Major, updated_at 2022_07_14;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Javadoc API Redirect CVE-2013-1571"; flow:established,to_server; http.method; content:"GET"; nocase; http.referer; content:"?//"; fast_pattern; pcre:"/\/(?:(?:index|toc)\.html?)?\?\/\//i"; reference:cve,2013-1571; classtype:bad-unknown; sid:2017037; rev:6; metadata:created_at 2013_06_20, signature_severity Major, updated_at 2022_07_14;)

alert http any any -> any [5555,7547] (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE"; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; nocase; fast_pattern; http.request_body; content:"NewNTPServer"; content:">"; distance:0; within:5; pcre:"/^.{0,10}[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023548; rev:6; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2022_08_09;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Attempted VMware Authentication Bypass (CVE-2022-31656)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/SAAS/t/"; startswith; content:"/auth/login/embeddedauthbroker/callback"; fast_pattern; endswith; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; reference:url,twitter.com/VietPetrus/status/1556999921320235009; reference:url,www.greynoise.io/blog/vmware-workspace-one-vulnerabilities-cve-2022-31656-and-cve-2022-31659; reference:cve,2022-31656; classtype:attempted-admin; sid:2038475; rev:1; metadata:created_at 2022_08_10, cve CVE_2022_31656, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_08_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zavio IP Camera OS Command Injection Attempt Inbound (CVE-2013-2568)"; flow:established,to_server; http.uri; content:"/cgi-bin/mft/"; startswith; fast_pattern; content:"ap="; distance:0; content:"|3b|"; distance:0; pcre:"/[?&]ap=/U"; reference:cve,2013-2568; classtype:attempted-admin; sid:2038502; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_08_12, cve CVE_2013_2568, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_08_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra RCE Attempt Inbound (CVE-2022-27925)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/backup/mboximport/"; fast_pattern; http.request_body; content:"PK"; startswith; content:"../"; distance:20; within:500; reference:cve,2022-27925; reference:cve,2022-37042; classtype:attempted-admin; sid:2038504; rev:1; metadata:attack_target Server, created_at 2022_08_12, cve CVE_2022_27925_CVE_2022_37042, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_08_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Attempted Schneider Electric SpaceLogic C-Bus Home Controller 5200WHC2 Remote Code Execution (CVE-2022-34753)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/delsnap.pl|3f 7c|"; fast_pattern; startswith; http.header_names; content:!"Referer"; reference:url,www.exploit-db.com/exploits/50987; classtype:attempted-admin; sid:2038665; rev:1; metadata:attack_target IoT, created_at 2022_08_29, cve CVE_2022_34753, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_08_29, reviewed_at 2024_09_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Realtek eCos RSDK/MSDK Stack-based Buffer Overflow Attempt Inbound (CVE-2022-27255)"; content:"|20|SIP|2f|"; content:"m=audio|20|"; fast_pattern; pcre:"/^\d+\s*[^\r\n]{50,}/R"; reference:url,github.com/infobyte/cve-2022-27255/tree/main/exploits_nexxt; reference:cve,2022-27255; classtype:attempted-admin; sid:2038669; rev:1; metadata:created_at 2022_08_30, cve CVE_2022_27255, confidence High, signature_severity Major, updated_at 2022_08_30;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PAN-OS OS Command Injecton Attempt Inbound (CVE-2020-2038)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"?cmd=<cms-ping>"; content:"|3c 21 5b|CDATA|5b 7c 7c|"; fast_pattern; reference:cve,2020-2038; classtype:attempted-admin; sid:2038688; rev:1; metadata:attack_target Server, created_at 2022_08_31, cve CVE_2020_2038, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2022_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SAP NetWeaver SQL Injection Attempt Inbound (CVE-2016-2386)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/UDDISecurityImplBean"; fast_pattern; http.request_body; content:"<permissionId>"; pcre:"/^[^\x3c]{,100}\x27/Ri"; reference:cve,2016-2386; classtype:attempted-admin; sid:2038696; rev:1; metadata:attack_target Server, created_at 2022_08_31, cve CVE_2016_2386, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT QNAP Photo Station Path Traversal Attempt Inbound (CVE-2019-7195)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/photo/p/api/video.php"; fast_pattern; http.request_body; content:"filename|27 3a 20 27|"; content:"./."; distance:0; within:4; reference:cve,2019-7195; classtype:attempted-admin; sid:2038698; rev:1; metadata:created_at 2022_08_31, cve CVE_2019_7195, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_08_31, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NetGear WNR2000v5 Buffer Overflow Attempt Inbound (CVE-2017-6862)"; flow:to_server,established; http.method; content:"GET"; http.uri; bsize:>1000; content:"unauth.cgi"; fast_pattern; content:"timestamp="; reference:cve,2017-6862; classtype:attempted-admin; sid:2038736; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_09_06, cve CVE_2017_6862, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_09_06;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Atlassian Bitbucket CVE-2022-36804 Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/rest/api/"; content:"/projects/"; distance:0; content:"/repos/"; distance:0; content:"|00|--"; distance:0; fast_pattern; reference:cve,2022-36804; reference:url,attackerkb.com/topics/iJIxJ6JUow/cve-2022-36804/rapid7-analysis; classtype:attempted-user; sid:2038930; rev:1; metadata:affected_product Atlassian, attack_target Client_Endpoint, created_at 2022_09_22, cve CVE_2022_36804, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_09_22;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/git-update.php"; bsize:19; fast_pattern; http.request_body; content:"branch|3d 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; content:"token|3d 26|"; reference:url,claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices; reference:cve,2022-3184; classtype:attempted-admin; sid:2038965; rev:1; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2022_09_23, cve CVE_2022_3184, deployment Perimeter, deployment Internal, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_09_23, reviewed_at 2024_09_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Dataprobe iBoot-PDU Pre-Auth Remote Code Execution Attempt via git-update.php (CVE-2022-3184) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/php/git-update.php"; bsize:19; fast_pattern; http.request_body; content:"branch=|2e 2e 25 32 46 2e 2e 25 32 46 2e 2e 25 32 46|"; content:"token=|25 32 36|"; reference:url,claroty.com/team82/research/jumping-nat-to-shut-down-electric-devices; reference:cve,2022-3184; classtype:attempted-admin; sid:2038966; rev:1; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2022_09_23, cve CVE_2022_3184, deployment Perimeter, deployment Internal, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_09_23, reviewed_at 2024_09_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Zoho ManageEngine RCE Attempt Inbound (CVE-2022-35405)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/xmlrpc"; http.request_body; content:"<?xml"; content:"<methodCall>"; content:"<serializable|20|"; fast_pattern; content:"|22|>"; base64_decode:offset 0, relative; base64_data; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/si"; reference:cve,2022-35405; classtype:attempted-admin; sid:2039005; rev:1; metadata:attack_target Server, created_at 2022_09_27, cve CVE_2022_35405, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_09_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Remote Code Execution Attempt (CVE-2022-41040, CVE-2022-41082)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"autodiscover.json"; nocase; fast_pattern; content:"Powershell"; nocase; distance:0; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/; classtype:attempted-admin; sid:2039065; rev:2; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2022_09_30, cve CVE_2022_41040, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ZKBioSecurity SQL Injection Attempt (CVE-2022-36635)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/baseOpLog.do"; bsize:13; http.request_body; content:"opTime"; fast_pattern; pcre:"/^(?:Begin|End)\=/PR"; content:"|27|"; distance:0; content:"|2f 2a|"; distance:0; content:"|2a 2f|"; distance:0; reference:url,medium.com/stolabs/cve-2022-36635-a-sql-injection-in-zksecuritybio-to-rce-c5bde2962d47; reference:cve,2022-36635; classtype:attempted-admin; sid:2039129; rev:1; metadata:affected_product IoT, attack_target IoT, created_at 2022_10_07, cve CVE_2022_36635, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_10_07, reviewed_at 2024_09_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M1"; flow:established,to_server; file.data; content:"2"; depth:330; content:"/jetty"; within:100; content:"/webapps/zimbra/public"; within:50; fast_pattern; content:"ustar"; within:70; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039141; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_10_11;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M2"; flow:established,to_server; file.data; content:"2"; depth:330; content:"|5c|jetty"; within:100; content:"|5c|webapps|5c|zimbra|5c|public"; within:50; fast_pattern; content:"ustar"; within:70; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039142; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_10_11;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M4"; flow:established,to_server; file.data; content:"070707"; startswith; content:"/jetty"; within:100; content:"/webapps/zimbra/public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039143; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_10_11;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M3"; flow:established,to_server; file.data; content:"070707"; startswith; content:"|5c|jetty"; within:100; content:"|5c|webapps|5c|zimbra|5c|public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039144; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_10_11;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M6"; flow:established,to_server; file.data; content:"|c7 71|"; startswith; content:"/jetty"; within:100; content:"/webapps/zimbra/public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039145; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_10_11;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M5"; flow:established,to_server; file.data; content:"|c7 71|"; startswith; content:"|5c|jetty"; within:100; content:"|5c|webapps|5c|zimbra|5c|public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039146; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_10_11;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M7"; flow:established,to_server; file.data; content:"|ed ab ee db|"; startswith; content:"|5c|jetty"; within:100; content:"|5c|webapps|5c|zimbra|5c|public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039147; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_10_11;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-41352) M8"; flow:established,to_server; file.data; content:"|ed ab ee db|"; startswith; content:"/jetty"; within:100; content:"/webapps/zimbra/public"; within:50; fast_pattern; reference:url,attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis; reference:cve,2022-41352; classtype:attempted-admin; sid:2039148; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_41352, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_10_11;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M1"; flow:established,to_server; file.data; content:"Rar!|1a 07|"; startswith; content:"/jetty"; within:300; content:"/webapps/zimbra/public"; within:50; fast_pattern; reference:url,blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/; reference:cve,2022-30333; classtype:attempted-admin; sid:2039149; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_30333, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_10_11;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Zimbra Arbitrary File Upload (CVE-2022-30333) M2"; flow:established,to_server; file.data; content:"Rar!|1a 07|"; startswith; content:"|5c|jetty"; within:300; content:"|5c|webapps|5c|zimbra|5c|public"; within:50; fast_pattern; reference:url,blog.sonarsource.com/zimbra-pre-auth-rce-via-unrar-0day/; reference:cve,2022-30333; classtype:attempted-admin; sid:2039150; rev:1; metadata:attack_target SMTP_Server, created_at 2022_10_11, cve CVE_2022_30333, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_10_11;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Outbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|dns|3a|address|7c|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039467; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, updated_at 2022_10_24;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|dns|3a|address|7c|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039466; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, updated_at 2022_10_24;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Inbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|script|3a|javascript|3a|java|2e|lang|2e|Runtime|2e|getRuntime|28 29 2e|exec|28|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039464; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, updated_at 2022_10_24;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt Script Prefix (CVE-2022-42889) (Outbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|script|3a|javascript|3a|java|2e|lang|2e|Runtime|2e|getRuntime|28 29 2e|exec|28|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039465; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, updated_at 2022_10_24;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Inbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|url|3a|UTF|2d|8|3a|http|3a 2f|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039468; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, updated_at 2022_10_24;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt URL Prefix (CVE-2022-42889) (Outbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|url|3a|UTF|2d|8|3a|http|3a 2f|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039469; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Client_Endpoint, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, updated_at 2022_10_24;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Outbound)"; flow:established,to_server; http.uri; content:"|24 7b|java|3a|version|7d 20 24 7b|script|3a|JEXL|3a 27 27 2e|getClass|28 29 2e|forName|28 27|java|2e|lang|2e|Runtime|27 29 2e|getRuntime|28 29 2e|exec"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,twitter.com/pwntester/status/1582321752566161409; classtype:attempted-admin; sid:2039471; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, updated_at 2022_10_24;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible OpenSSL Punycode Email Address Buffer Overflow Attempt Inbound (CVE-2022-3602)"; flow:established,to_client; tls.certs; content:"|06 03 55 1d 1e|"; content:"xn--"; fast_pattern; within:30; byte_test:2,>,513,-6,relative; reference:url,www.openssl.org/news/secadv/20221101.txt; reference:cve,2022-3602; classtype:attempted-admin; sid:2039618; rev:1; metadata:attack_target Server, created_at 2022_11_01, cve CVE_2022_3602, deployment Perimeter, performance_impact Significant, confidence Low, signature_severity Major, updated_at 2022_11_02;)

alert tls $HOME_NET any -> any any (msg:"ET EXPLOIT Possible OpenSSL Punycode Email Address Buffer Overflow Attempt Outbound (CVE-2022-3602)"; flow:established,to_server; content:"|06 03 55 1d 1e|"; content:"xn--"; fast_pattern; within:30; byte_test:2,>,513,-6,relative; reference:url,www.openssl.org/news/secadv/20221101.txt; reference:cve,2022-3602; classtype:attempted-admin; sid:2039619; rev:1; metadata:attack_target Server, created_at 2022_11_02, cve CVE_2022_3602, deployment Perimeter, performance_impact Significant, confidence Low, signature_severity Major, updated_at 2022_11_02;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT GL iNet MTN300n Command Injection Attempt Inbound (CVE-2022-31898)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/cgi-bin/api/internet/ping"; fast_pattern; http.request_body; content:"ping_addr"; pcre:"/^[\x22\x27]\s*\x3a\s*[\x22\x27]\x3b/R"; reference:cve,2022-31898; classtype:attempted-admin; sid:2039794; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_11_16, cve CVE_2022_31898, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2022_11_16, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - Request for Product Details Possible CVE-2017-7577 Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mnt/custom/ProductDefinition"; nocase; endswith; fast_pattern; reference:cve,2017-7577; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:web-application-attack; sid:2041450; rev:1; metadata:attack_target IoT, created_at 2022_12_01, cve CVE_2017_7577, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Minor, updated_at 2022_12_01;)

alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - Request for User Details - Possible CVE-2017-7577 Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"mnt/mtd/Config/Account1"; nocase; endswith; fast_pattern; reference:cve,2017-7577; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/pwn-hisilicon-dvr/blob/master/pwn_hisilicon_dvr.py; classtype:web-application-attack; sid:2041451; rev:1; metadata:attack_target IoT, created_at 2022_12_01, cve CVE_2017_7577, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Minor, updated_at 2022_12_01;)

alert tcp-pkt any any -> $HOME_NET 9530 (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - OpenTelnet Inbound - Possilbe CVE-2020-22253 Attempt"; flow:established,to_server; stream_size:server,<,5; flowbits:set,ET.CVE-2020-22253; flowbits:noalert; dsize:20; content:"|13|OpenTelnet:OpenOnce"; reference:url,habr.com/en/post/486856/; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/hs-dvr-telnet; reference:cve,2020-22253; classtype:attempted-recon; sid:2041646; rev:1; metadata:attack_target IoT, created_at 2022_12_02, cve CVE_2020_22253, deployment Perimeter, confidence High, signature_severity Major, updated_at 2022_12_02;)

alert tcp-pkt $HOME_NET 9530 -> any any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - Successful Auth - Possilbe CVE-2020-22253 Attempt"; flow:established,to_client; flowbits:isset,ET.CVE-2020-22253; flowbits:set,ET.CVE-2020-22253_stage2; content:"verify:OK"; reference:url,habr.com/en/post/486856/; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/hs-dvr-telnet; reference:cve,2020-22253; classtype:successful-admin; sid:2041647; rev:1; metadata:attack_target IoT, created_at 2022_12_02, cve CVE_2020_22253, deployment Perimeter, confidence High, signature_severity Major, updated_at 2022_12_02;)

alert tcp-pkt $HOME_NET 9530 -> any any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - Successful Telnet Opening - Successful CVE-2020-22253 Attempt"; flow:established,to_client; flowbits:isset,ET.CVE-2020-22253; flowbits:isset,ET.CVE-2020-22253_stage2; content:"Open:OK"; reference:url,habr.com/en/post/486856/; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,github.com/tothi/hs-dvr-telnet; reference:cve,2020-22253; classtype:successful-admin; sid:2041648; rev:1; metadata:attack_target IoT, created_at 2022_12_02, cve CVE_2020_22253, confidence High, signature_severity Major, updated_at 2022_12_02;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Xiongmai/HiSilicon DVR - RTSP Buffer Overflow Attempt - CVE-2022-26259"; flow:established,to_server; http.method; content:"OPTIONS"; http.header; content:"CSeq|3a 20 3b|"; fast_pattern; content:!"|0d 0a|"; within:100; reference:url,vulncheck.com/blog/xiongmai-iot-exploitation; reference:url,blog.ret2.me/post/2022-01-26-exploiting-xiongmai-dvrs/; reference:cve,2022-26259; classtype:attempted-admin; sid:2041650; rev:1; metadata:affected_product DVR, attack_target IoT, created_at 2022_12_02, cve CVE_2022_26259, deployment Perimeter, confidence High, signature_severity Major, updated_at 2022_12_02;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Redfish Exploitation Attempt (CVE-2022-40259)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/redfish/v1/Registries/1"; startswith; content:"|3b|curl|24 7b|IFS|7d|"; fast_pattern; content:"|7c|bash|3b 2e|json"; endswith; reference:url,eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk; classtype:attempted-admin; sid:2041931; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_12_06, cve CVE_2022_40259, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2022_12_06;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Redfish API User Enumeration Attempt (CVE-2022-2827)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/reset-pass"; bsize:15; fast_pattern; http.request_body; content:"username="; content:"verifyOTP="; content:"param=2"; threshold: type threshold, track by_src, count 3, seconds 10; reference:url,eclypsium.com/2022/12/05/supply-chain-vulnerabilities-put-server-ecosystem-at-risk; classtype:attempted-user; sid:2041932; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_12_06, cve CVE_2022_2827, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2022_12_07, reviewed_at 2024_05_28;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt JEXL Path (CVE-2022-42889) (Inbound)"; flow:established,to_server; http.uri; content:"|24 7b|java|3a|version|7d 20 24 7b|script|3a|JEXL|3a 27 27 2e|getClass|28 29 2e|forName|28 27|java|2e|lang|2e|Runtime|27 29 2e|getRuntime|28 29 2e|exec"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,twitter.com/pwntester/status/1582321752566161409; classtype:attempted-admin; sid:2039470; rev:3; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, updated_at 2022_12_15;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Observed Mirai/Gafgyt Post Brute Force Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fuckyou/xd."; startswith; fast_pattern; http.user_agent; content:"wget/"; startswith; nocase; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; threshold:type both,track by_src, count 30, seconds 60; reference:url,isc.sans.edu/diary/rss/29304; reference:md5,512d5c2ba6b14f732061fc2f28a72f72; classtype:misc-attack; sid:2042956; rev:1; metadata:attack_target Linux_Unix, created_at 2022_12_16, deployment Perimeter, malware_family Mirai, confidence High, signature_severity Major, updated_at 2022_12_16; target:src_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS,$SMTP_SERVERS] any (msg:"ET EXPLOIT Microsoft Exchange Remote Code Execution Attempt - OWASSRF (CVE-2022-41040, CVE-2022-41082)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/owa/"; startswith; nocase; content:"@"; distance:0; content:"/powershell"; endswith; nocase; fast_pattern; http.user_agent; content:!"ClientInfo"; content:!"Microsoft WinRM Client"; content:!"Exchange BackEnd Probes"; http.request_body; content:"|3c|s|3a|Envelope|20|xmlns|3a|rsp|3d 22|"; startswith; content:"wbem/wsman/1/windows/shell|22|"; within:100; content:"|3c|wsa|3a|To|3e|"; distance:0; content:"|3c|s|3a|Body|3e 3c|rsp|3a|Shell|20|ShellId|3d 22|"; distance:0; reference:url,www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/; reference:url,github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1; reference:cve,2022-41040; reference:cve,2022-41082; classtype:attempted-admin; sid:2043002; rev:1; metadata:affected_product Microsoft_Exchange, attack_target Server, created_at 2022_12_23, cve CVE_2022_41040_CVE_2022_41082, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag ProxyNotShell, tag CISA_KEV, updated_at 2022_12_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M1 (CVE-2022-46169)"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:"|0d 0a|X-Forwarded-For|0d 0a|"; http.uri; content:"/remote_agent.php?"; content:"action=polldata"; content:"local_data_ids|5b 5d 3d|"; fast_pattern; content:"host_id="; content:"poller_id|3d|"; pcre:"/^(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,github.com/taythebot/CVE-2022-46169; reference:cve,2022-46169; classtype:attempted-admin; sid:2043010; rev:1; metadata:attack_target Server, created_at 2022_12_26, cve CVE_2022_46169, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2022_12_26;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Cacti Unauthenticated RCE Inbound M2 (CVE-2022-46169)"; flow:established,to_server; http.method; content:"GET"; http.header_names; content:"|0d 0a|X-Forwarded-For|0d 0a|"; http.uri.raw; content:"/remote_agent.php?"; content:"action=polldata"; content:"local_data_ids|5b 5d 3d|"; fast_pattern; content:"host_id="; content:"poller_id|3d|"; pcre:"/^(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,github.com/taythebot/CVE-2022-46169; reference:cve,2022-46169; classtype:attempted-admin; sid:2043011; rev:1; metadata:attack_target Server, created_at 2022_12_26, cve CVE_2022_46169, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_12_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TIBCO JasperReports Authenticated Arbitrary File Read Attempt (CVE-2018-5430)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/flow.html?_flowId=sampleFlow&"; pcre:"/^page=\.\..+/RUi"; reference:cve,2018-5430; reference:url,rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/; classtype:web-application-attack; sid:2043229; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_01_05, cve CVE_2018_5430, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_01_05;)

alert http any any -> $HOME_NET 2031 (msg:"ET EXPLOIT CentOS Control Web Panel Pre-Auth Remote Code Execution (CVE-2022-44877)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/login/index.php?login|3d 24|"; startswith; fast_pattern; http.cookie; content:"cwpsrv-"; http.request_body; content:"username="; startswith; content:"&password="; distance:0; content:"&commit=Login"; distance:0; endswith; reference:url,github.com/numanturle/CVE-2022-44877; reference:cve,2022-44877; classtype:attempted-admin; sid:2043302; rev:1; metadata:attack_target Server, created_at 2023_01_13, cve CVE_2022_44877, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_01_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M1 (CVE-2022-47966)"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"|27|SAMLResponse|27|"; fast_pattern; content:"|3a|"; distance:0; within:5; content:"|27|"; base64_decode:offset 0, relative; base64_data; content:"|3a|getRuntime|28 29|"; content:"|3a|exec|28|"; reference:cve,2022-47966; classtype:attempted-admin; sid:2043335; rev:1; metadata:attack_target Server, created_at 2023_01_19, cve CVE_2022_47966, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_04_06, reviewed_at 2023_10_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M2 (CVE-2022-47966)"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"|22|SAMLResponse|22|"; fast_pattern; content:"|3a|"; distance:0; within:5; content:"|22|"; base64_decode:offset 0, relative; base64_data; content:"|3a|getRuntime|28 29|"; content:"|3a|exec|28|"; reference:cve,2022-47966; classtype:attempted-admin; sid:2043336; rev:1; metadata:attack_target Server, created_at 2023_01_19, cve CVE_2022_47966, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_04_06, reviewed_at 2023_10_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert tcp any any -> $HOME_NET 88 (msg:"ET EXPLOIT Possible PYKEK Priv Esc in-use"; flow:established,to_server; content:"|a4 11 18 0f|19700101000000Z|a5 11 18 0f|19700101000000Z|a6 11 18 0f|19700101000000Z"; content:"|a8 05 30 03 02 01 17|"; distance:8; within:7; threshold: type limit, track by_src, seconds 60, count 1; reference:url,github.com/bidord/pykek; reference:cve,2014-6324; classtype:attempted-admin; sid:2019897; rev:3; metadata:created_at 2014_12_09, deprecation_reason Age, confidence Low, signature_severity Major, updated_at 2023_01_19;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec 23"; flow:established,from_server; file_data; content:"For i=LBound("; pcre:"/^\s*?(?P<v1>[^\x29\s]+)\s*?\x29\s*?To Ubound\x28(?P=v1)\s*?\x29\s*?(?:dim\s*?)?(?P<v2>[^\s\x3d]+)\s*?\x3d\s*?(?P=v2)\+Cstr\x28\s*?Chr\x28(?P=v1)\x28i\x29[\+\-]\d+\x29\x29.+?Execute\s*?(?P=v2)/Rsi"; reference:md5,d2d3c212f430bff2b5f075fa083de047; reference:cve,2014-6332; classtype:trojan-activity; sid:2020067; rev:4; metadata:created_at 2014_12_24, deprecation_reason Age, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_01_19;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS Pre 1.0 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 01 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018559; rev:3; metadata:created_at 2014_06_13, deprecation_reason Age, confidence Low, signature_severity Major, updated_at 2023_01_19;)

#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT SUSPICIOUS DTLS 1.2 Fragmented Client Hello Possible CVE-2014-0195"; content:"|16 fe fd 00 00 00 00 00 00 00|"; depth:10; content:"|01|"; distance:3; within:1; byte_test:3,>,0,0,relative; byte_test:3,>,0,8,relative; byte_extract:3,0,frag_len,relative; byte_jump:3,5,relative; content:"|01|"; within:1; byte_test:3,!=,frag_len,0,relative; reference:url,h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002; classtype:attempted-user; sid:2018561; rev:4; metadata:created_at 2014_06_13, deprecation_reason Age, confidence Low, signature_severity Major, updated_at 2023_01_19;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1"; flow:from_client,established; content:"XGxpc3RvdmVycmlkZWNvdW50"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"MQ"; within:2; content:!"MV"; within:2; content:!"MT"; within:2; content:!"MH"; within:2; content:!"MF"; within:2; content:!"ME"; within:2; content:!"OQ"; within:2; content:!"OX"; within:2; content:!"MA"; within:2; content:!"MS"; within:2; content:!"MX"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018314; rev:10; metadata:created_at 2014_03_25, deprecation_reason Age, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_01_19;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2"; flow:from_client,established; content:"xsaXN0b3ZlcnJpZGVjb3Vud"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"DE"; within:2; content:!"DF"; within:2; content:!"Dk"; within:2; content:!"Dl"; within:2; content:!"DA"; within:2; content:!"DB"; within:2; content:!"DV"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018308; rev:9; metadata:created_at 2014_03_25, deprecation_reason Age, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_01_19;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3"; flow:from_client,established; content:"cbGlzdG92ZXJyaWRlY291bn"; isdataat:2,relative; pcre:"/^\s*/Rs"; content:!"Qx"; within:2; content:!"Q5"; within:2; content:!"Qw"; within:2; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018309; rev:7; metadata:created_at 2014_03_25, deprecation_reason Age, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_01_19;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4"; flow:from_client,established; content:"x1LTU1N"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){5}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018310; rev:7; metadata:created_at 2014_03_25, deprecation_reason Age, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_01_19;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5"; flow:from_client,established; content:"XHUtNTU0"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018311; rev:6; metadata:created_at 2014_03_25, deprecation_reason Age, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_01_19;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,587] (msg:"ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6"; flow:from_client,established; content:"cdS01NT"; fast_pattern; pcre:"/^(?:.*?(?:XHUtNTU0|cdS01NT|x1LTU1N)){7}/Rs"; reference:cve,2014-1761; reference:url,blogs.technet.com/b/srd/archive/2014/03/24/security-advisory-2953095-recommendation-to-stay-protected-and-for-detections.aspx; classtype:attempted-user; sid:2018312; rev:6; metadata:created_at 2014_03_25, deprecation_reason Age, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_01_19;)

#alert tcp $HOME_NET [443,465,993,995,25] -> $EXTERNAL_NET any (msg:"ET EXPLOIT SSL excessive fatal alerts (possible POODLE attack against server)"; flow:from_server,established; ssl_version:sslv3; content:"|15 03 00 00|"; depth:4; byte_jump:2,3,post_offset -1; isdataat:!2,relative; threshold:type both, track by_src, count 50, seconds 300; reference:url,blog.fox-it.com/2014/10/15/poodle/; reference:url,www.openssl.org/~bodo/ssl-poodle.pdf; reference:cve,2014-3566; reference:url,askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566; reference:url,www.imperialviolet.org/2014/10/14/poodle.html; classtype:attempted-recon; sid:2019418; rev:7; metadata:created_at 2014_10_15, deprecation_reason Age, confidence Low, signature_severity Major, updated_at 2023_01_19;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Lexmark Malicious File Upload Detected"; flow:established,to_server; http.method; content:"POST"; bsize:4; http.uri; content:"/webglue/uploadfile/ImportFaxLogo"; bsize:33; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; nocase; content:"filename="; nocase; within:255; pcre:"/(?:[\x7e\x60\x24\x26\x2a\x7c\x3b\x27\x22\x3c\x3e\x3f\x21])/Ri"; reference:url,github.com/blasty/lexmark; classtype:trojan-activity; sid:2044002; rev:1; metadata:affected_product IoT, attack_target IoT, created_at 2023_01_26, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_04_06;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (HELO)"; flow:to_server,established; content:"HELO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020325; rev:3; metadata:created_at 2015_01_28, confidence High, signature_severity Major, updated_at 2023_01_26;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET [25,465,587] (msg:"ET EXPLOIT CVE-2015-0235 Exim Buffer Overflow Attempt (EHLO)"; flow:to_server,established; content:"EHLO "; nocase; content:!"|0a|"; within:1024; pcre:"/^\s*?\d[\d\x2e]{255}/R"; reference:url,openwall.com/lists/oss-security/2015/01/27/9; classtype:attempted-admin; sid:2020326; rev:5; metadata:created_at 2015_01_28, confidence High, signature_severity Major, updated_at 2023_01_26;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link webupg Remote Code Execution Attempt Inbound (CVE 2021-46441, 2021-46442)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/webupg"; fast_pattern; bsize:15; http.referer; content:"autoupgrade.asp"; endswith; http.request_body; content:"name|3d|shell&key|3d|twmode&cmd|3d|"; reference:url,github.com/tgp-top/D-Link-DIR-825; reference:cve,2021-46441; reference:cve,2021-46442; classtype:attempted-admin; sid:2044009; rev:1; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_01_27, cve CVE_2021_46441, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_01_27, reviewed_at 2024_09_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> $HOME_NET 427 (msg:"ET EXPLOIT VMWare ESXi 6.7.0 OpenSLP Remote Code Execution Attempt - Directory Agent Advertisement Heap Overflow (CVE-2021-21974)"; flow:established,to_server; dsize:>280; content:"|02 08|"; startswith; byte_jump:2,19,relative,little; byte_test:2,>=,256,0,relative; content:"|01|:/"; reference:url,straightblast.medium.com/my-poc-walkthrough-for-cve-2021-21974-a266bcad14b9; reference:cve,2021-21974; classtype:attempted-admin; sid:2044114; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2023_02_03, cve CVE_2021_21974, deployment Perimeter, deployment Internal, deployment Datacenter, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_02_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Tenda OS Command Injection (CVE-2020-10987) (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"goform/setUsbUnload"; nocase; fast_pattern; content:"deviceName="; nocase; distance:0; content:"|3b|"; distance:0; pcre:"/deviceName=[^&$]+\x3b/"; reference:url,cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; reference:cve,2020-10987; classtype:attempted-admin; sid:2034489; rev:3; metadata:attack_target Server, created_at 2021_11_17, cve CVE_2020_10987, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_02_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ImageMagick (7.1.0-49) DOS PNG Upload Attempt (CVE-2022-44267)"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"|89|PNG"; content:"profile|00 2d|"; distance:0; within:256; fast_pattern; reference:cve,2022-44267; classtype:attempted-dos; sid:2044118; rev:1; metadata:attack_target Server, created_at 2023_02_05, cve CVE_2022_44267, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2023_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ImageMagick (7.1.0-49) DOS PNG Observed Inbound (CVE-2022-44267)"; flow:from_server,established; file.data; content:"|89|PNG"; content:"profile|00 2d|"; distance:0; within:256; fast_pattern; reference:cve,2022-44267; classtype:attempted-dos; sid:2044119; rev:1; metadata:attack_target Server, created_at 2023_02_05, cve CVE_2022_44267, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2023_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible ImageMagick (7.1.0-49) Arbitrary Remote Leak PNG Upload Attempt (CVE-2022-44268)"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"|89|PNG"; content:"profile|00 2f|"; distance:0; within:256; fast_pattern; reference:cve,2022-44268; classtype:attempted-user; sid:2044120; rev:1; metadata:attack_target Server, created_at 2023_02_05, cve CVE_2022_44268, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2023_02_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Fortra MFT Deserialization Remote Code Execution Attempt (CVE-2023-0669) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goanywhere/lic/accept"; fast_pattern; http.request_body; content:"bundle="; startswith; reference:url,frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html; reference:cve,2023-0669; classtype:trojan-activity; sid:2044145; rev:1; metadata:affected_product Java, attack_target Web_Server, created_at 2023_02_07, cve CVE_2023_0669, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_02_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT GitLab Pre-Auth RCE Detected (CVE-2021-22205)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/uploads/user"; bsize:13; http.header_names; content:"X-CSRF-Token"; http.request_body; content:"AT&TFORM"; fast_pattern; content:"DJV"; distance:0; within:8; content:"ANT"; distance:0; content:"(metadata"; distance:0; content:"|5c 0a|"; distance:0; content:"|5c 0a|"; distance:0; reference:url,devcraft.io/2021/05/04/exiftool-arbitrary-code-execution-cve-2021-22204.html,url,hackerone.com/reports/1154542; classtype:trojan-activity; sid:2044201; rev:2; metadata:attack_target Client_and_Server, created_at 2023_02_14, cve CVE_2021_22205, deployment Perimeter, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_04_06;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Fortinet FortiNAC - Observed POST .zip with Vulnerable Parameter (CVE-2022-39952)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/configWizard/keyUpload.jsp"; fast_pattern; http.request_body; content:"name=|22|key|22 3b|"; content:"|0d 0a 0d 0a|PK"; reference:cve,2022-39952; classtype:attempted-admin; sid:2044270; rev:1; metadata:attack_target Server, created_at 2023_02_21, cve CVE_2022_39952, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2023_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|exec|22|,|7b 22|command|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50865; classtype:attempted-admin; sid:2035955; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2023_03_07, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|read|22|,|7b 22|path|22 3a 22|"; reference:url,www.exploit-db.com/exploits/50864; classtype:attempted-admin; sid:2035956; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2023_03_07;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (wget) (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|exec|22|,|7b 22|command|22 3a 22|wget"; fast_pattern; reference:url,www.exploit-db.com/exploits/50865; classtype:attempted-admin; sid:2044530; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_03_08, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2023_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (curl) (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|exec|22|,|7b 22|command|22 3a 22|curl"; fast_pattern; reference:url,www.exploit-db.com/exploits/50865; classtype:attempted-admin; sid:2044531; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_03_08, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2023_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (find) (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|exec|22|,|7b 22|command|22 3a 22|find"; fast_pattern; reference:url,www.exploit-db.com/exploits/50865; classtype:attempted-admin; sid:2044532; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_03_08, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2023_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - Command Injection Attempt Inbound (sh) (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|exec|22|,|7b 22|command|22 3a 22|/bin/"; fast_pattern; pcre:"/^(?:ba)?sh$/R"; reference:url,www.exploit-db.com/exploits/50865; classtype:attempted-admin; sid:2044533; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_03_08, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2023_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Razer Sila Router - LFI Attempt Inbound (passwd) (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/ubus/"; http.request_body; content:"|22|read|22|,|7b 22|path|22 3a 22|"; content:"/etc/passwd"; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/50864; classtype:attempted-admin; sid:2044534; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_03_08, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2023_03_08;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle BI Publisher Authentication Bypass (CVE-2019-2616)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/xmlpserver/ReportTemplateService.xls"; bsize:37; fast_pattern; http.header_names; content:!"Referer"; http.request_body; content:"|3c 21|DOCTYPE|20|soap|3a|envelope|20|PUBLIC|20 22 2d 2f 2f|B|2f|A|2f|EN|22 20 22|http"; startswith; reference:url,nvd.nist.gov/vuln/detail/CVE-2019-2616; reference:cve,2019-2616; classtype:attempted-admin; sid:2034199; rev:3; metadata:affected_product Web_Server_Applications, created_at 2021_10_15, cve CVE_2019_2616, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_03_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Vanguard v2.1 (Search) POST Inject Web Vulnerability"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"phps_query|3d 22 3e 25 32 30 3c|iframe src="; startswith; fast_pattern; content:"onload="; distance:0; content:"|29 3e 26|phps_search|3d 3b 29|"; endswith; reference:url,exploit-db.com/exploits/50491; classtype:attempted-admin; sid:2034354; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_05, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2023_04_07;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Outbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith; reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034481; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_03_09;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ultimate POS 4.4 Cross-Site Scripting (XSS) - Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/products"; startswith; http.content_type; content:"multipart/form-data"; startswith; http.cookie; content:"ultimate_pos_session=eyJpdiI6Il"; startswith; fast_pattern; content:"SIsInZhbHVlIjoi"; distance:30; within:20; content:"_token=null&name="; distance:0; content:"|22 3e 3c|iframe src="; distance:0; content:"submit_type=submit"; endswith; reference:url,exploit-db.com/exploits/50492; classtype:attempted-admin; sid:2034482; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_15, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_03_09;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Exiftool RCE Inbound (CVE-2021-22204)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"ANTa|00 00|"; fast_pattern; pcre:"/[^\r\n]*\x5c(?:n|c)[^\r\n]{0,100}[\x60\x24]/Ri"; reference:url,blogs.blogs.blackberry.com/en/2021/06/from-fix-to-exploit-arbitrary-code-execution-for-cve-2021-22204-in-exiftool; classtype:attempted-admin; sid:2034626; rev:2; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_07, cve CVE_2021_22204, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_03_09;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2014-6332 Sep 01 2016 (HFS Actor) M2"; flow:established,from_server; http.server; content:"HFS|20|"; file.data; content:"|6f 62 6a 57 73 68 2e 72 75 6e 20 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 5c 70 75 74 74 79 2e 65 78 65 22|"; nocase; reference:cve,2014-6332; classtype:trojan-activity; sid:2023146; rev:4; metadata:affected_product Internet_Explorer, attack_target Client_Endpoint, created_at 2016_09_01, cve CVE_2014_6332, deployment Perimeter, malware_family IEiExploit, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_03_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT .NET Framework Remote Code Execution Injection (CVE-2020-1147)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"__SUGGESTIONSCACHE__"; fast_pattern; content:"<DataSet"; nocase; distance:0; content:"System.Data.Services.Internal.ExpandedWrapper"; nocase; distance:0; reference:url,srcincite.io/blog/2020/07/20/sharepoint-and-pwn-remote-code-execution-against-sharepoint-server-abusing-dataset.html; reference:cve,2020-1147; classtype:attempted-admin; sid:2034510; rev:2; metadata:created_at 2021_11_18, cve CVE_2020_1147, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SEOWON INTECH SLC-130 RCE Inbound (No CVE)"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"&queriesCnt="; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; classtype:attempted-admin; sid:2035952; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_04_14, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2023_03_10;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass M1 (CVE-2022-25237)"; flow:established,to_server; http.uri; content:"|3b|i18ntranslation"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036818; rev:2; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2023_03_10;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M1 (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bonita/API/pageUpload"; startswith; content:"action=add"; content:"|3b|i18ntranslation"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036821; rev:2; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2023_03_10;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Windows Defender POWERLIKS Detection Bypass"; flow:established,to_client; file.data; content:"|3c 21 5b|CDATA|5b 0a|var"; content:"|20 3d 20 22|6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E2"; fast_pattern; content:"str|20 2b 3d 20|String.fromCharCode|28|parseInt"; reference:url,exploit-db.com/exploits/50654; classtype:trojan-activity; sid:2034914; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_01_13, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_03_14;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT GitLab Unauthenticated Remote ExifTool Command Injection (CVE-2021-24563)"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"Content-Type: image/jpeg"; content:"AT&TFORM|00 00 03 AF|DJVMDIRM"; fast_pattern; distance:80; within:40; http.header_names; content:!"Referer"; reference:cve,CVE-2021-24563; reference:url,about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/; reference:cve,2021-24563; classtype:trojan-activity; sid:2034961; rev:3; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2022_01_24, cve CVE_2021_24563, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_03_14, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT TP-Link Archer AX21 Unauthenticated Command Injection Inbound (CVE-2023-1389)"; http.method; content:"POST"; http.uri; content:"/cgi-bin"; startswith; content:"|3b|stok=/locale?form=country"; fast_pattern; http.request_body; content:"operation=write"; content:"country=|24 28|"; reference:cve,2023-1389; reference:url,tenable.com/security/research/tra-2023-11; classtype:attempted-admin; sid:2044585; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_03_14, cve CVE_2023_1389, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_03_14, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT WSO2 Server RCE (CVE-2022-29464)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileupload/toolsAny"; startswith; bsize:20; http.request_body; content:"name=|22 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|repository/deployment/server/"; fast_pattern; content:".jsp|22 0d 0a|"; distance:0; reference:url,github.com/hakivvi/CVE-2022-29464; reference:cve,CVE-2022-29464; reference:cve,2022-29464; classtype:trojan-activity; sid:2036378; rev:3; metadata:affected_product HTTP_Server, attack_target Web_Server, created_at 2022_04_26, cve CVE_2022_29464, deployment Internet, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_03_14;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) Signed JWT Bypass (CVE-2022-21449)"; flow:established, to_server; http.header; content:"Authorization|3a 20|Bearer|20|"; pcre:"/(yJ0eXAiOiJKV1Qi|InR5cCI6IkpXVCJ)/HR"; content:"JhbGciOiJFUzI1Ni"; distance:0; fast_pattern; content:"MAYCAQACAQA|0d 0a|"; endswith; tag:session,5,packets; reference:cve,CVE-2022-21449; reference:cve,2022-21449; classtype:web-application-activity; sid:2036392; rev:4; metadata:affected_product Java, attack_target Server, created_at 2022_04_27, cve CVE_2022_21449, deployment Perimeter, confidence High, signature_severity Major, updated_at 2023_03_14, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT pfBlockerNG HTTP Host Header Remote Code Execution Attempt (CVE-2022-31814)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/pfblockerng/www/index.php"; fast_pattern; http.host; content:"|2a 3b|"; startswith; reference:url,www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/; reference:cve,2022-31814; classtype:attempted-admin; sid:2044629; rev:1; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_03_15, cve CVE_2022_31814, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_03_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Remote Code Execution Attempt (CVE-2022-26258)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/get_set.ccp"; bsize:12; http.request_body; content:"ccp_act=set&old_ip="; startswith; fast_pattern; content:"|3d|wget|20|http"; content:"chmod 777"; distance:0; content:"dlink&lanHostCfg_AlwaysBroadcast_"; distance:0; reference:url,unit42.paloaltonetworks.com/moobot-d-link-devices/cve,2022-26258; classtype:trojan-activity; sid:2038781; rev:3; metadata:attack_target Networking_Equipment, created_at 2022_09_09, cve CVE_2022_26258, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_03_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert udp any !51820 -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed M2 (udp) (CVE-2021-44228)"; content:"|24 7b|"; content:"|24 7b 3a 3a|"; within:100; fast_pattern; reference:cve,2021-44228; classtype:attempted-admin; sid:2034674; rev:3; metadata:attack_target Server, created_at 2021_12_12, cve CVE_2021_44228, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_06_05, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)"; flow:established,to_server; http.uri; content:"/openam/oauth2/"; content:"/ccversion/Version"; nocase; content:"jato.pageSession="; reference:url,portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464; classtype:attempted-admin; sid:2033208; rev:2; metadata:created_at 2021_06_30, cve CVE_2021_35464, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_04_05;)

alert udp any any -> $HOME_NET 9034 (msg:"ET EXPLOIT Realtek SDK - Command Execution/Backdoor Access Inbound (CVE-2021-35394)"; flow:to_server; content:"orf|3b|"; fast_pattern; startswith; threshold:type limit, count 1, seconds 3600, track by_src; reference:cve,2021-35394; reference:url,unit42.paloaltonetworks.com/realtek-sdk-vulnerability/; reference:url,onekey.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain; classtype:attempted-admin; sid:2044008; rev:2; metadata:affected_product IoT, attack_target Networking_Equipment, created_at 2023_01_27, cve CVE_2021_35394, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_04_12, reviewed_at 2023_08_21;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http) (Outbound) (CVE-2021-44228)"; flow:established,to_server; http.uri; content:"|2f 24 7b 24 7b|"; startswith; fast_pattern; content:"|3a 2d|j|7d 24 7b|"; content:"|3a 2d|n|7d 24 7b|"; content:"|3a 2d|d|7d 24 7b|"; content:"|3a 2d|i|7d 24 7b|"; content:"|3a 2d 3a 7d 24 7b|"; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2045125; rev:1; metadata:attack_target Server, created_at 2023_04_21, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_04_21;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http) (Inbound) (CVE-2021-44228)"; flow:established,to_server; http.uri; content:"|2f 24 7b 24 7b|"; startswith; fast_pattern; content:"|3a 2d|j|7d 24 7b|"; content:"|3a 2d|n|7d 24 7b|"; content:"|3a 2d|d|7d 24 7b|"; content:"|3a 2d|i|7d 24 7b|"; content:"|3a 2d 3a 7d 24 7b|"; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2045126; rev:1; metadata:attack_target Server, created_at 2023_04_21, cve CVE_2021_44228, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_04_21;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET EXPLOIT RuggedCom factory account backdoor"; flow:established,to_server; flowbits:isset,ET.RUGGED.BANNER; content:"factory"; pcre:"/factory[\r\n\x00]+[0-9]{9}/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:suspicious-login; sid:2014646; rev:7; metadata:attack_target Networking_Equipment, created_at 2012_04_28, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2023_04_24;)

#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET EXPLOIT RuggedCom Banner with MAC (SET)"; flow:established,to_client; flowbits:set,ET.RUGGED.BANNER; content:"Rugged Operating System"; fast_pattern; content:"Copyright |28|c|29| RuggedCom"; distance:0; content:"MAC Address|3A|"; distance:0; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-recon; sid:2014645; rev:6; metadata:attack_target Networking_Equipment, created_at 2012_04_28, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_04_24;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M1 (CVE-2023-23397)"; content:"AElQTS5UYXNr"; fast_pattern; content:"|0d 0a 0d 0a|"; base64_decode:offset 0,relative; base64_data; content:"|78 9f 3e 22|"; startswith; content:"I|00|P|00|M|00|.|00|T|00|a|00|s|00|k"; content:"|5c|"; pcre:"/^\x00?\\\x00?[\w\.\-\x00]+\\/R"; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397; reference:cve,2023-23397; classtype:attempted-admin; sid:2044680; rev:3; metadata:created_at 2023_03_16, cve CVE_2023_23397, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_04_27, reviewed_at 2023_10_11, former_sid 2853726;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M2 (CVE-2023-23397)"; content:"SVBNLk1pY3Jvc29mdCBNYWlsLk5vdG"; fast_pattern; content:"|0d 0a 0d 0a|"; base64_decode:offset 0,relative; base64_data; content:"|78 9f 3e 22|"; startswith; content:"IPM.Microsoft|20|Mail.Note"; content:"|5c|"; pcre:"/^\x00?\\\x00?[\w\.\-\x00]+\\/R"; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397; reference:cve,2023-23397; classtype:attempted-admin; sid:2044681; rev:3; metadata:created_at 2023_03_16, cve CVE_2023_23397, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_04_27, reviewed_at 2023_10_11, former_sid 2853727;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M3 (CVE-2023-23397)"; content:"AElQTS5UYXNr"; fast_pattern; content:"|0d 0a 0d 0a|"; base64_decode:offset 0,relative; base64_data; content:"|78 9f 3e 22|"; startswith; content:"|00|IPM.Task"; content:"|5c|"; pcre:"/^\x00?\\\x00?[\w\.\-\x00]+\\/R"; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397; reference:cve,2023-23397; classtype:attempted-admin; sid:2044682; rev:3; metadata:created_at 2023_03_16, cve CVE_2023_23397, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_04_27, reviewed_at 2023_10_11, former_sid 2853728;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M4 (CVE-2023-23397)"; content:"SQBQAE0ALgBNAGkAYwByAG8AcwBvAGYAdAAgAE0AYQBpAGwALgBOAG8AdABlA"; fast_pattern; content:"|0d 0a 0d 0a|"; base64_decode:offset 0,relative; base64_data; content:"|78 9f 3e 22|"; startswith; content:"I|00|P|00|M|00|.|00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 20 00|M|00|a|00|i|00|l|00|.|00|N|00|o|00|t|00|e"; content:"|5c|"; pcre:"/^\x00?\\\x00?[\w\.\-\x00]+\\/R"; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397; reference:cve,2023-23397; classtype:attempted-admin; sid:2044683; rev:3; metadata:created_at 2023_03_16, cve CVE_2023_23397, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_04_27, reviewed_at 2023_10_11, former_sid 2853729;)

alert smtp $SMTP_SERVERS any -> any any (msg:"ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M5 (CVE-2023-23397)"; content:"AElQTS5UYXNr"; fast_pattern; content:"|0d 0a 0d 0a|"; base64_decode:offset 0,relative; base64_data; content:"|78 9f 3e 22|"; startswith; content:"|00|IPM.Task"; content:"|5c|"; pcre:"/^\x00?\\\x00?[\w\.\-\x00]+\\/R"; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397; reference:cve,2023-23397; classtype:attempted-admin; sid:2044684; rev:3; metadata:created_at 2023_03_16, cve CVE_2023_23397, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_04_27, reviewed_at 2023_10_11, former_sid 2853730;)

alert smtp $SMTP_SERVERS any -> any any (msg:"ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M6 (CVE-2023-23397)"; content:"SQBQAE0ALgBUAGEAcwBrA"; fast_pattern; content:"|0d 0a 0d 0a|"; base64_decode:offset 0,relative; base64_data; content:"|78 9f 3e 22|"; startswith; content:"|00|I|00|P|00|M|00|.|00|T|00|a|00|s|00|k"; content:"|5c|"; pcre:"/^\x00?\\\x00?[\w\.\-\x00]+\\/R"; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397; reference:cve,2023-23397; classtype:attempted-admin; sid:2044685; rev:3; metadata:created_at 2023_03_16, cve CVE_2023_23397, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_04_27, reviewed_at 2023_10_11, former_sid 2853731;)

alert smtp $SMTP_SERVERS any -> any any (msg:"ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M7 (CVE-2023-23397)"; content:"SQBQAE0ALgBNAGkAYwByAG8AcwBvAGYAdAAgAE0AYQBpAGwALgBOAG8AdABlA"; fast_pattern; content:"|0d 0a 0d 0a|"; base64_decode:offset 0,relative; base64_data; content:"|78 9f 3e 22|"; startswith; content:"I|00|P|00|M|00|.|00|M|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 20 00|M|00|a|00|i|00|l|00|.|00|N|00|o|00|t|00|e"; content:"|5c|"; pcre:"/^\x00?\\\x00?[\w\.\-\x00]+\\/R"; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397; reference:cve,2023-23397; classtype:attempted-admin; sid:2044686; rev:3; metadata:created_at 2023_03_16, cve CVE_2023_23397, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_04_27, reviewed_at 2023_10_11, former_sid 2853732;)

alert smtp $SMTP_SERVERS any -> any any (msg:"ET EXPLOIT Possible Microsoft Outlook Elevation of Privilege Payload Observed M8 (CVE-2023-23397)"; content:"SVBNLk1pY3Jvc29mdCBNYWlsLk5vdG"; fast_pattern; content:"|0d 0a 0d 0a|"; base64_decode:offset 0,relative; base64_data; content:"|78 9f 3e 22|"; startswith; content:"IPM.Microsoft|20|Mail.Note"; content:"|5c|"; pcre:"/^\x00?\\\x00?[\w\.\-\x00]+\\/R"; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397; reference:cve,2023-23397; classtype:attempted-admin; sid:2044687; rev:3; metadata:created_at 2023_03_16, cve CVE_2023_23397, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_04_27, reviewed_at 2023_10_11, former_sid 2853733;)

#alert tls any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT GnuTLS Cryptographic Flaw Observed (CVE-2020-13777)"; flow:established,to_server; content:"|16|"; startswith; content:"|00 23|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:2; within:16; fast_pattern; pcre:"/^[\x20-\x7e\r\n]{0,13}[^\x20-\x7e\r\n]/R"; reference:url,corelight.com/blog/detecting-gnutls-cve-2020-13777-using-zeek; classtype:attempted-recon; sid:2030340; rev:3; metadata:created_at 2020_06_15, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Major, updated_at 2023_04_28;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M10 (CVE-2022-47966)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse="; startswith; fast_pattern; nocase; base64_decode:offset 0, relative; base64_data; content:"|3a|getRuntime|28 29|"; nocase; content:"|3a|exec|28|"; nocase; reference:cve,2022-47966; classtype:attempted-admin; sid:2045301; rev:1; metadata:attack_target Server, created_at 2023_05_02, cve CVE_2022_47966, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag ManageEngine, tag CISA_KEV, updated_at 2023_05_02; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M11 (CVE-2022-47966)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse="; startswith; fast_pattern; nocase; base64_decode:offset 0, relative; base64_data; content:"|3a|eval|28|"; nocase; reference:cve,2022-47966; classtype:attempted-admin; sid:2045302; rev:1; metadata:attack_target Server, created_at 2023_05_02, cve CVE_2022_47966, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_05_02; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ManageEngine Unauthenticated RCE Attempt M12 (CVE-2022-47966)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"SAMLResponse="; startswith; fast_pattern; nocase; base64_decode:offset 0, relative; base64_data; content:"getEngineByName"; nocase; content:"nashorn"; nocase; reference:cve,2022-47966; classtype:attempted-admin; sid:2045303; rev:1; metadata:attack_target Server, created_at 2023_05_02, cve CVE_2022_47966, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag ManageEngine, tag CISA_KEV, updated_at 2023_05_02; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Zoho ManagedEngine Desktop Central Authentication Bypass - Administrator Password Reset Attempt (CVE-2021-44515)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/STATE_ID/"; startswith; content:"/changeDefaultAmazonPassword?"; fast_pattern; content:"loginName="; distance:0; content:"newUserPassword="; http.cookie; content:"STATE_COOKIE="; reference:url,srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html; reference:cve,2021-44515; classtype:attempted-admin; sid:2034958; rev:2; metadata:created_at 2022_01_24, cve CVE_2021_44515, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_05_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Oracle Opera RCE Attempt (CVE-2023-21932)"; flow:established; http.method; content:"POST"; http.uri; content:"/Operajserv/webarchive/FileReceiver?filename="; fast_pattern; nocase; startswith; pcre:"/^[a-zA-Z]\x3a\x5cMICROS\x5c/R"; content:"&jndiname="; distance:0; content:"&username="; distance:0; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.assetnote.io/2023/04/30/rce-oracle-opera/; reference:cve,2023-21932; classtype:attempted-admin; sid:2045307; rev:1; metadata:attack_target Web_Server, created_at 2023_05_03, cve CVE_2023_21932, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2023_05_03;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Suspected cPanel XSS Exploit Activity (CVE-2023-29489)"; flow:established; http.uri; content:"/cpanelwebcall/"; nocase; fast_pattern; startswith; content:"onerror=|22|"; distance:0; http.header_names; content:!"Referer|0d 0a|"; reference:url,blog.assetnote.io/2023/04/26/xss-million-websites-cpanel/; reference:url,forums.cpanel.net/threads/cpanel-tsr-2023-0001-full-disclosure.708949/; reference:cve,2023-29489; classtype:attempted-admin; sid:2045629; rev:1; metadata:attack_target Web_Server, created_at 2023_05_10, cve CVE_2023_29489, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Informational, updated_at 2023_05_10; target:dest_ip;)

alert http $HOME_NET any -> any 80 (msg:"ET EXPLOIT Possible Command Injection via User-Agent (PwnAgent) - CVE-2023-24749, CVE-2022-47208"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|22 3b|"; content:"|3b 22|"; endswith; fast_pattern; reference:url,mahaloz.re/2023/02/25/pwnagent-netgear.html; reference:url,www.synacktiv.com/en/publications/cool-vulns-dont-live-long-netgear-and-pwn2own.html; reference:cve,2023-24749; reference:cve,2022-47208; classtype:attempted-admin; sid:2045636; rev:1; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, created_at 2023_05_11, cve CVE_2023_24749_CVE_2022_47208, deployment Perimeter, deployment Internal, performance_impact Low, confidence Low, signature_severity Major, updated_at 2023_05_11, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Ruckus Wireless Admin Remote Code Execution Attempt (CVE 2023-25717)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/forms/doLogin?login_username="; startswith; fast_pattern; content:"&password="; distance:0; content:"|24 28|"; distance:0; content:"|29|"; endswith; reference:cve,2023-25717; classtype:attempted-admin; sid:2045783; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2023_05_19, cve CVE_2023_25717, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_05_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert tcp any 873 -> any any (msg:"ET EXPLOIT F5 BIG-IP rsync cmi authorized_keys successful exfiltration"; flow:from_server,established; content:"ssh-rsa"; fast_pattern; flowbits:isset,ET.F5.key; reference:url,www.security-assessment.com/files/documents/advisory/F5_Unauthenticated_rsync_access_to_Remote_Root_Code_Execution.pdf; classtype:attempted-admin; sid:2019089; rev:4; metadata:created_at 2014_08_29, signature_severity Critical, updated_at 2023_05_30;)

alert http $EXTERNAL_NET [!443] -> $HOME_NET any (msg:"ET EXPLOIT Metasploit Random Base CharCode JS Encoded String"; flow:established,to_client; file_data; content:"String.fromCharCode("; pcre:"/^(?=(?:(:?0x[a-f0-9]{2}|0+?\d{1,3})\s*?,\s*?)*?\d{1,3})(?=(?:(:?0x[a-f0-9]{2}|\d{1,3})\s*?,\s*?)*?0+?\d{1,3})(?=(?:(:?0+?\d{1,3}|\d{1,3})\s*?,\s*?)*?0x[a-f0-9]{2})(?:(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?,\s*?)+(:?0x[a-f0-9]{2}|0+?\d{1,3}|\d{1,3})\s*?\)/Rsi"; classtype:trojan-activity; sid:2019091; rev:5; metadata:affected_product Any, attack_target Client_and_Server, created_at 2014_08_29, deployment Perimeter, deployment Internet, deployment Internal, deployment Datacenter, signature_severity Critical, tag Metasploit, updated_at 2023_06_01;)

alert tcp any any -> $HOME_NET 8009 (msg:"ET EXPLOIT [401TRG] GhostCat LFI Attempt Inbound (CVE-2020-1938)"; flow:established,to_server; content:"|12 34|"; depth:2; content:"|00 08|HTTP/1.1|00|"; distance:0; content:"javax.servlet.include.path_info|00|"; nocase; distance:0; content:"javax.servlet.include.request_uri|00|"; content:"javax.servlet.include.servlet_path|00|"; flowbits:set,ET.GhostCat; reference:cve,2020-1938; reference:url,www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487; classtype:attempted-admin; sid:2029533; rev:3; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2020_02_25, cve CVE_2020_1938, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_06_08;)

alert http [$HOME_NET,$HTTP_SERVERS] 8009 -> any any (msg:"ET EXPLOIT Possible [401TRG] GhostCat LFI Successful Exploit (CVE-2020-1938)"; flow:established,to_client; http.response_body; content:"|3c 3f|xml|20|version|3d 22|"; startswith; content:"Licensed|20|to|20|the|20|Apache|20|Software|20|Foundation|20 28|ASF|29 20|under|20|one|20|or|20|more|0a 20 20|contributor|20|license|20|agreements|2e|"; content:"The|20|ASF|20|licenses|20|this|20|file|20|to|20|You|20|under|20|the|20|Apache|20|License|2c 20|Version"; content:"aee/web-app_"; fast_pattern; content:"_"; distance:1; within:1; content:"|2e|xsd|22|"; content:"|3c|display|2d|name|3e|"; content:"|3c 2f|display|2d|name|3e|"; content:"|3c|description|3e|"; flowbits:isset,ET.GhostCat; reference:cve,2020-1938; reference:url,trendmicro.com/en_us/research/20/c/busting-ghostcat-an-analysis-of-the-apache-tomcat-vulnerability-cve-2020-1938-and-cnvd-2020-10487.html; classtype:attempted-admin; sid:2046149; rev:2; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2023_06_07, cve CVE_2020_1938, deployment Perimeter, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_06_08, reviewed_at 2024_01_26;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/hostcheck_validate (CVE-2023-27997)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/remote/hostcheck_validate"; fast_pattern; startswith; content:"enc"; distance:0; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046251; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_06_13; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M1"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"POST"; http.uri; content:"/remote/hostcheck_validate"; fast_pattern; startswith; content:"enc"; distance:0; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046252; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_06_13; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/hostcheck_validate (CVE-2023-27997) M2"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"POST"; http.uri; content:"/remote/hostcheck_validate"; fast_pattern; startswith; http.request_body; content:"enc"; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046253; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_06_13; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated GET Requests to /remote/logincheck (CVE-2023-27997)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/remote/logincheck"; fast_pattern; startswith; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046254; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_06_13; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/logincheck (CVE-2023-27997)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"POST"; http.uri; content:"/remote/logincheck"; fast_pattern; startswith; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046255; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_06_13; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Request to /remote/info - Possible CVE-2023-27997 Exploit Attempt"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/remote/info"; fast_pattern; startswith; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046256; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_06_13; target:dest_ip;)

alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible Barracuda Email Security Gateway Remote Code Execution Attempt (CVE-2023-2868) M1"; flow:established,to_server; file.data; content:"|75 73 74 61 72|"; fast_pattern; content:"|27 60|"; distance:0; content:"|60 27|"; within:500; reference:url,www.mandiant.com/resources/blog/barracuda-esg-exploited-globally; reference:cve,2023-2868; classtype:attempted-admin; sid:2046280; rev:1; metadata:affected_product Barracuda_ESG, attack_target SMTP_Server, created_at 2023_06_15, cve CVE_2023_2868, deployment Perimeter, deployment Internal, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_09_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT VMware Aria Operations for Networks RCE Attempt (CVE-2023-20887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/saas./resttosaasservlet"; endswith; fast_pattern; http.content_type; content:"application/x-thrift"; bsize:20; http.request_body; content:"createSupportBundle"; content:"|7b 22|str|22 3a 22 60|"; distance:0; content:"|60|"; distance:0; reference:url,summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/; reference:cve,2023-20887; reference:cve,2023-20888; reference:cve,2023-20889; classtype:attempted-admin; sid:2046500; rev:1; metadata:affected_product VMware, attack_target Client_Endpoint, created_at 2023_06_21, cve CVE_2023_20887, deployment Perimeter, confidence High, signature_severity Major, tag CVE_2023_20887, tag CVE_2023_20888, tag CVE_2023_20889, tag CISA_KEV, updated_at 2023_06_21, reviewed_at 2024_10_15;)

#alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228)"; flow:established,to_server; content:"|24 7b|jndi|3a|ldap|3a 2f 2f|"; nocase; fast_pattern; reference:url,lunasec.io/docs/blog/log4j-zero-day; reference:cve,2021-44228; classtype:attempted-admin; sid:2034757; rev:4; metadata:attack_target Server, created_at 2021_12_17, cve CVE_2021_44228, deployment Perimeter, deprecation_reason Duplicate, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_07_05;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Repeated POST Requests to /remote/error (CVE-2023-27997)"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"POST"; http.uri; content:"/remote/error"; fast_pattern; startswith; http.content_len; byte_test:0,>,1000000,0,string,dec; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; reference:url,github.com/BishopFox/CVE-2023-27997-check/blob/main/CVE-2023-27997-check.py; reference:url,bishopfox.com/blog/cve-2023-27997-exploitable-and-fortigate-firewalls-vulnerable; classtype:attempted-admin; sid:2046723; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_07_05, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_07_05; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-8759 Soap File DL"; flow:established,to_client; file_data; content:"process.start"; nocase; fast_pattern; content:"<service"; nocase; pcre:"/^(?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*[\x22\x27](?:(?!<\/service>).)+?<soap\x3a\s*address[^>]+location=\s*?\x22[^\x22]*\r?\n[^\x22]*?process\.start/Rsi"; classtype:attempted-admin; sid:2024706; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_09_15, cve CVE_2017_8759, deployment Perimeter, deprecation_reason Duplicate, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_07_06;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M2"; flow:established,to_server; http.header; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033525; rev:2; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, deprecation_reason Duplicate, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2023_07_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M2"; flow:established,to_server; http.uri; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033483; rev:2; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, deprecation_reason Duplicate, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2023_07_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M1"; flow:established,to_server; http.header; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033524; rev:2; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, deprecation_reason Duplicate, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2023_07_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M1"; flow:established,to_server; http.uri; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033482; rev:2; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, deprecation_reason Duplicate, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2023_07_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M3"; flow:established,to_server; http.header; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033526; rev:2; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, deprecation_reason Duplicate, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2023_07_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M3"; flow:established,to_server; http.uri; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033484; rev:2; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, deprecation_reason Duplicate, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2023_07_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"/+vADGAwAABQBzAHIAAAATAGoAYQB2AGEALgB1AHQAaQBsAC4ASABhAHMAaAB0AGEAYgBsAGUAEwBXJQ8AJQAhAEoAowNVJQ"; fast_pattern; classtype:attempted-admin; sid:2033567; rev:2; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, deprecation_reason Duplicate, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2023_07_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//68AMYDAAAFAHMAcgAAABMAagBhAHYAYQAuAHUAdABpAGwALgBIAGEAcwBoAHQAYQBiAGwAZQATAFclDwAlACEASgCjA1Ul"; fast_pattern; classtype:attempted-admin; sid:2033566; rev:2; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, deprecation_reason Duplicate, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2023_07_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M3"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"//rwAxgMAAAUAcwByAAAAEwBqAGEAdgBhAC4AdQB0AGkAbAAuAEgAYQBzAGgAdABhAGIAbABlABMAVyUPACUAIQBKAKMDVSU"; fast_pattern; classtype:attempted-admin; sid:2033568; rev:2; metadata:attack_target Server, created_at 2021_07_28, deployment Perimeter, deployment Internal, deprecation_reason Duplicate, malware_family ysoserial, confidence High, signature_severity Major, tag Exploit, tag possible_exploitation, updated_at 2023_07_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible PaulPrinting CMS Cross-Site Scripting - Inbound"; http.method; content:"POST"; http.uri; content:"/printing/register"; fast_pattern; http.request_body; content:"firstname"; nocase; content:"lastname"; distance:0; nocase; content:"address"; distance:0; nocase; content:"city"; distance:0; nocase; content:"state"; distance:0; reference:url,seclists.org/fulldisclosure/2023/Jul/36; classtype:attempted-admin; sid:2046876; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2023_07_20, deployment Perimeter, confidence Medium, signature_severity Major, tag XSS, updated_at 2023_07_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible PaulPrinting CMS Cross-Site Scripting - Inbound"; http.method; content:"POST"; http.uri; content:"/account/delivery?q="; fast_pattern; reference:url,seclists.org/fulldisclosure/2023/Jul/36; classtype:attempted-admin; sid:2046877; rev:1; metadata:affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2023_07_20, deployment Perimeter, confidence Medium, signature_severity Major, tag XSS, updated_at 2023_07_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Javascript Initiating Remote Server Search with Window's Search-MS URI Handler"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<script>"; startswith; content:"window.location.href"; distance:0; content:"search-ms:query="; distance:0; content:"&crumb=location:"; distance:0; content:"DavWWWRoot&displayname="; distance:0; fast_pattern; content:"</script>"; endswith; reference:url,trellix.com/en-us/about/newsroom/stories/research/beyond-file-search-a-novel-method.html; classtype:trojan-activity; sid:2047014; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_08_01, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2023_08_01;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M1"; flow:established,to_server; flowbits:set,ET.CVE-2023-36884.Storm-0978; http.method; content:"GET"; http.uri; content:"/MSHTML_"; content:"/start.xml"; fast_pattern; endswith; reference:url,blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit; reference:cve,2023-36884; classtype:attempted-admin; sid:2046810; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_07_12, cve CVE_2023_36884, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, tag Storm_0978, tag CISA_KEV, updated_at 2023_08_02, reviewed_at 2023_10_06; target:src_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Storm-0978 CVE-2023-36884 Exploitation Attempt M2"; flow:established,to_server; flowbits:isset,ET.CVE-2023-36884.Storm-0978; http.method; content:"GET"; http.uri; content:"/MSHTML_"; content:".asp?d="; fast_pattern; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}_[a-f0-9]{5}_/R"; reference:url,blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit; reference:cve,2023-36884; classtype:attempted-admin; sid:2046811; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_07_12, cve CVE_2023_36884, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_08_02, reviewed_at 2023_10_06; target:src_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Junos OS - Unauthenticated PHPRC Environmental Variable Modification M1 (CVE-2023-36844 CVE-2023-36845)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/webauth_operation.php"; content:"PHPRC=|2f|var|2f|tmp|2f|"; fast_pattern; reference:url,supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution; reference:url,labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/; reference:cve,2023-36844; reference:cve,2023-36845; classtype:attempted-admin; sid:2047869; rev:1; metadata:affected_product JunOS, attack_target Networking_Equipment, created_at 2023_09_01, cve CVE_2023_36844_CVE_2023_36845, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_09_01, reviewed_at 2023_09_01; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Junos OS - Unauthenticated PHPRC Environmental Variable Modification M2 (CVE-2023-36844 CVE-2023-36845)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webauth_operation.php"; http.request_body; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|PHPRC|22 0d 0a 0d 0a 2f|var|2f|tmp|2f|"; fast_pattern; reference:url,supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution; reference:url,labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/; reference:cve,2023-36844; reference:cve,2023-36845; classtype:attempted-admin; sid:2047870; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_09_01, cve CVE_2023_36844_CVE_2023_36845, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_09_01, reviewed_at 2023_09_01; target:dest_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Potential Adobe Experience Manager (AEM) Dispatcher Bypass Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/bin/querybuilder.json"; startswith; fast_pattern; isdataat:2,relative; reference:url,isc.sans.edu/diary/Obfuscated+Scans+for+Older+Adobe+Experience+Manager+Vulnerabilities/30230/; reference:url,adapt.to/2019/presentations/adaptto2019-securing-aem-webapps-by-hacking-them-mikhail-egorov.pdf; classtype:attempted-admin; sid:2048213; rev:1; metadata:affected_product Adobe_Experience_Manager, attack_target Client_Endpoint, created_at 2023_09_22, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2023_09_22, reviewed_at 2023_09_22;)

alert smtp any any -> $SMTP_SERVERS any (msg:"ET EXPLOIT Possible Barracuda Email Security Gateway Remote Code Execution Attempt (CVE-2023-2868) M2"; flow:established,to_server; file.data; content:"|60 27|"; content:"|75 73 74 61 72|"; distance:0; fast_pattern; content:"|27 60|"; distance:0; within:500; reference:url,www.mandiant.com/resources/blog/barracuda-esg-exploited-globally; reference:cve,2023-2868; classtype:attempted-admin; sid:2048146; rev:2; metadata:affected_product Barracuda_ESG, attack_target SMTP_Server, created_at 2023_09_21, cve CVE_2023_2868, deployment Perimeter, deployment Internal, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_09_29, reviewed_at 2024_10_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WS_FTP .NET Deserialization Exploit Attempt (CVE-2023-40044)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/AHT/AhtApiService.asmx/AuthUser"; fast_pattern; http.content_type; content:"multipart/form-data|3b|"; startswith; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d|"; content:!"|3b 20|filename|3d|"; within:400; reference:cve,2023-40044; reference:url,www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044; classtype:attempted-admin; sid:2048383; rev:1; metadata:affected_product WS_FTP, attack_target FTP_Server, created_at 2023_10_03, cve CVE_2023_40044, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_10_03, reviewed_at 2023_10_03; target:dest_ip;)

alert smtp $HOME_NET any -> any any (msg:"ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-4115) set"; flow:established; flowbits:set,ET.eximsmtp; flowbits:noalert; content:"ESMTP Exim|20|"; fast_pattern; reference:url,www.zerodayinitiative.com/advisories/ZDI-23-1469/; reference:url,labs.watchtowr.com/exim-0days-90s-vulns-in-90s-software/; reference:cve,2023-4115; classtype:attempted-admin; sid:2048389; rev:1; metadata:attack_target SMTP_Server, created_at 2023_10_03, cve CVE_2023_4115, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, updated_at 2023_10_03, reviewed_at 2023_10_03; target:src_ip;)

alert smtp any any -> $HOME_NET any (msg:"ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-42115)"; flow:established; flowbits:isset,ET.eximsmtp; content:"auth|20|"; nocase; fast_pattern; pcre:"/^(?:(?:[^A\r\n]+[A])(?:[^A\r\n]+[A])){2,}/R"; reference:url,www.zerodayinitiative.com/advisories/ZDI-23-1469/; reference:url,labs.watchtowr.com/exim-0days-90s-vulns-in-90s-software/; reference:cve,2023-42115; classtype:attempted-admin; sid:2048390; rev:1; metadata:attack_target SMTP_Server, created_at 2023_10_03, cve CVE_2023_42115, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, updated_at 2023_10_03, reviewed_at 2023_10_03; target:dest_ip;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT JetBrains TeamCity Auth Bypass Attempt (CVE-2023-42793)"; flow:established,to_server; flowbits:set,ET.CVE-2023-42793; http.method; content:"POST"; http.uri; content:"/app/rest/users/id|3a|"; startswith; fast_pattern; content:"/tokens/"; content:"/RPC2"; endswith; reference:url,www.sonarsource.com/blog/teamcity-vulnerability/; reference:url,blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/; reference:url,attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis; reference:cve,2023-42793; classtype:attempted-admin; sid:2048460; rev:1; metadata:affected_product JetBrains_TeamCity, attack_target Web_Server, created_at 2023_10_05, cve CVE_2023_42793, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_10_05; target:src_ip;)

alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT JetBrains TeamCity Auth Bypass Successful Attempt (CVE-2023-42793)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-42793; http.response_body; content:"|3c|token|20|name|3d 22|"; fast_pattern; content:"creationTime|3d 22|"; content:"value|3d 22|"; reference:url,www.sonarsource.com/blog/teamcity-vulnerability/; reference:url,blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/; reference:url,attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis; reference:cve,2023-42793; classtype:successful-admin; sid:2048461; rev:1; metadata:affected_product JetBrains_TeamCity, attack_target Web_Server, created_at 2023_10_05, cve CVE_2023_42793, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2023_10_05, reviewed_at 2023_10_05; target:src_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Tenda G103 Command Injection Attempt (CVE-2023-27076)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/luci?language="; fast_pattern; startswith; pcre:"/(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9/; reference:cve,2023-27076; classtype:attempted-admin; sid:2048547; rev:1; metadata:attack_target IoT, created_at 2023_10_12, cve CVE_2023_27076, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_10_12, reviewed_at 2023_10_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT LB-Link Command Injection Attempt (CVE-2023-26801)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/set_LimitClient_cfg"; bsize:27; http.request_body; content:"time1="; startswith; fast_pattern; content:"&time2"; distance:0; content:"&mac="; distance:0; pcre:"/(?:(wget|curl))/R"; content:"|20|http"; within:5; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9; reference:cve,2023-26801; classtype:attempted-admin; sid:2048548; rev:1; metadata:attack_target IoT, created_at 2023_10_12, cve CVE_2023_26801, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_10_12, reviewed_at 2023_10_12, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT DCN DCBI-Netlog-LAB Remote Code Execution Vulnerability Attempt (CVE-2023-26802)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/network_config/nsg_masq.cgi?"; startswith; fast_pattern; content:"&proto="; distance:0; pcre:"/(?:(wget|curl))/R"; reference:url,unit42.paloaltonetworks.com/mirai-variant-iz1h9; reference:cve,2023-26802; classtype:attempted-admin; sid:2048549; rev:1; metadata:attack_target IoT, created_at 2023_10_12, cve CVE_2023_26802, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_10_12, reviewed_at 2023_10_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Outbound) M1"; flow:established,to_client; http.response_body; content:"|3c|head|3e 3c|title|3e|404|20|Not|20|Found|3c 2f|title|3e 3c 2f|head|3e|"; content:"|3c|center|3e 3c|h1|3e|404|20|Not|20|Found|3c 2f|h1|3e 3c 2f|center|3e|"; fast_pattern; content:"|3c|hr|3e 3c|center|3e|nginx|3c 2f|center|3e|"; flowbits:isset,ET.CVE-2023-20198.Inbound; reference:url,github.com/fox-it/cisco-ios-xe-implant-detection; reference:cve,2023-20198; classtype:attempted-recon; sid:2048739; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_10_23, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_10_23, reviewed_at 2023_10_23;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Inbound) M1"; flow:established,to_client; http.response_body; content:"|3c|head|3e 3c|title|3e|404|20|Not|20|Found|3c 2f|title|3e 3c 2f|head|3e|"; content:"|3c|center|3e 3c|h1|3e|404|20|Not|20|Found|3c 2f|h1|3e 3c 2f|center|3e|"; fast_pattern; content:"|3c|hr|3e 3c|center|3e|nginx|3c 2f|center|3e|"; flowbits:isset,ET.CVE-2023-20198.Outbound; reference:url,github.com/fox-it/cisco-ios-xe-implant-detection; reference:cve,2023-20198; classtype:attempted-recon; sid:2048740; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_10_23, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_10_23, reviewed_at 2023_10_23;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Outbound) M2"; flow:established,to_client; http.response_body; content:"|3c|head|3e 3c|title|3e|404|20|Not|20|Found|3c 2f|title|3e 3c 2f|head|3e|"; content:"|3c|center|3e 3c|h1|3e|404|20|Not|20|Found|3c 2f|h1|3e 3c 2f|center|3e|"; content:"|3c|hr|3e 3c|center|3e|openresty|3c 2f|center|3e|"; fast_pattern; flowbits:isset,ET.CVE-2023-20198.Inbound; reference:url,github.com/fox-it/cisco-ios-xe-implant-detection; reference:cve,2023-20198; reference:url,twitter.com/SI_FalconTeam/status/1716497899821941230; classtype:attempted-recon; sid:2048741; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_10_23, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_10_23, reviewed_at 2023_10_23;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Inbound) M2"; flow:established,to_client; http.response_body; content:"|3c|head|3e 3c|title|3e|404|20|Not|20|Found|3c 2f|title|3e 3c 2f|head|3e|"; content:"|3c|center|3e 3c|h1|3e|404|20|Not|20|Found|3c 2f|h1|3e 3c 2f|center|3e|"; content:"|3c|hr|3e 3c|center|3e|openresty|3c 2f|center|3e|"; fast_pattern; flowbits:isset,ET.CVE-2023-20198.Outbound; reference:url,github.com/fox-it/cisco-ios-xe-implant-detection; reference:cve,2023-20198; reference:url,twitter.com/SI_FalconTeam/status/1716497899821941230; classtype:attempted-recon; sid:2048742; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_10_23, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_10_23, reviewed_at 2023_10_23;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)"; flow:established,to_server; flowbits:set,ET.CVE-2023-4966.LeakAttempt; http.uri; content:"/oauth/idp/.well-known/openid-configuration"; fast_pattern; http.host; bsize:>20000; reference:url,www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966; reference:cve,2023-4966; classtype:attempted-admin; sid:2048930; rev:1; metadata:attack_target Web_Server, created_at 2023_10_29, cve CVE_2023_4966, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_10_29, reviewed_at 2023_10_29, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; target:dest_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure - Successful Response (CVE-2023-4966)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-4966.LeakAttempt; http.stat_code; content:"200"; http.content_type; content:"application/json"; startswith; http.response_body; content:"|7b 22|issuer|22 3a 20 22|http"; startswith; fast_pattern; content:!"|22 2c 20 22|authorization_endpoint"; within:20000; reference:url,www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966; reference:cve,2023-4966; classtype:successful-admin; sid:2048932; rev:1; metadata:attack_target Web_Server, created_at 2023_10_29, cve CVE_2023_4966, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Critical, tag CISA_KEV, updated_at 2023_10_29, reviewed_at 2023_10_29, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; target:src_ip;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Cisco IOS XE Web Server Auth Bypass (CVE-2023-20198) (Outbound) M2"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/|25|25"; depth:4; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; flowbits:set,ET.CVE-2023-20198.Outbound; reference:url,github.com/fox-it/cisco-ios-xe-implant-detection; reference:cve,2023-20198; classtype:attempted-recon; sid:2048737; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_10_23, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_10_30, reviewed_at 2023_10_29;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco IOS XE Web Server Auth Bypass (CVE-2023-20198) (Inbound) M2"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/|25|25"; startswith; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; flowbits:set,ET.CVE-2023-20198.Inbound; reference:url,github.com/fox-it/cisco-ios-xe-implant-detection; reference:cve,2023-20198; classtype:attempted-recon; sid:2048738; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_10_23, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_10_30, reviewed_at 2023_10_30;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Inbound) M1"; flow:established,to_server; urilen:38; http.method; content:"POST"; http.uri; content:"/webui/logoutconfirm.html?logon_hash=1"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:trojan-activity; sid:2048584; rev:2; metadata:affected_product iOS, attack_target Web_Server, created_at 2023_10_17, cve CVE_2023_20198, deployment Perimeter, deployment Internet, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_10_30, reviewed_at 2024_01_26;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) (Outbound) M1"; flow:established,to_server; urilen:38; http.method; content:"POST"; http.uri; content:"/webui/logoutconfirm.html?logon_hash=1"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:trojan-activity; sid:2048583; rev:2; metadata:affected_product iOS, attack_target Web_Server, created_at 2023_10_17, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_10_30, reviewed_at 2024_01_26;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"|25|25"; http.request_body; content:"|3c|SOAP|3a|Body|3e|"; nocase; content:"|3c|request correlator|3d 22|"; nocase; distance:0; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:attempted-admin; sid:2048941; rev:3; metadata:created_at 2023_10_30, cve CVE_2023_20198, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_10_31, reviewed_at 2024_01_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Cisco IOS XE Web Server Possible Authentication Bypass Attempt (CVE-2023-20198) (Outbound)"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"|25|25"; http.request_body; content:"|3c|SOAP|3a|Body|3e|"; nocase; content:"|3c|request correlator|3d 22|"; nocase; distance:0; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:attempted-admin; sid:2048940; rev:4; metadata:created_at 2023_10_30, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_10_31, reviewed_at 2024_01_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IOS XE Web UI Command Injection Vulnerability (CVE-2023-20273)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webui/rest/softwareMgmt/installAdd"; startswith; nocase; fast_pattern; http.cookie; content:"Auth="; startswith; http.header_names; content:"|0d 0a|X-Csrf-Token|0d 0a|"; nocase; http.request_body; content:"|22|ipaddress|22|"; nocase; content:"|22|"; within:5; content:"|3a|"; within:5; content:"|3a|"; within:5; content:"|3a|"; within:5; pcre:"/^.{0,5}(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,blog.leakix.net/2023/10/cisco-root-privesc/; reference:url,twitter.com/joel_land/status/1719708750741639539; reference:url,sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z; reference:cve,2023-20273; classtype:attempted-admin; sid:2049007; rev:1; metadata:affected_product Cisco_IOS, attack_target Networking_Equipment, created_at 2023_11_01, cve CVE_2023_20273, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Critical, tag CISA_KEV, updated_at 2023_11_01, reviewed_at 2023_11_01, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request - User Deletion (CVE-2023-46747)"; flow:established,to_server; app-layer-event:http.invalid_transfer_encoding_value_in_request; content:"|0d 0a 00 08|HTTP"; isdataat:!514,relative; content:"|00 12|/tmui/Control/form|00|"; nocase; distance:0; content:"form|5f|page|3d 25|2Ftmui|25|2Fsystem|25|2Fuser|25|2Flist|2e|jsp"; fast_pattern; nocase; distance:0; content:"delete|5f|confirm|3d|Delete"; nocase; distance:0; http.method; content:"POST"; http.uri; content:"/tmui/"; startswith; reference:url,my.f5.com/manage/s/article/K000137353; reference:url,www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/; reference:cve,2023-46747; classtype:attempted-admin; sid:2049059; rev:1; metadata:affected_product F5, attack_target Networking_Equipment, created_at 2023_11_03, cve CVE_2023_46747, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_11_09, reviewed_at 2023_11_03; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Atlassian Confluence Improper Authentication Validation Exploitation Attempt set (CVE-2023-22518)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/json/setup-restore"; fast_pattern; content:".action"; within:20; http.header; content:"X-Atlassian-Token|3a 20|no-check|0d|"; http.request_body; content:"filename=|22|"; pcre:"/^[^\x22]+\.zip\x22/Ri"; content:"Upload|20|and|20|import|0d 0a|"; nocase; flowbits:set,ET.CVE-2023-22518.req; flowbits:noalert; reference:cve,2023-22518; classtype:attempted-admin; sid:2049096; rev:1; metadata:affected_product Atlassian_Confluence, attack_target Server, created_at 2023_11_06, cve CVE_2023_22518, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_11_06, reviewed_at 2023_11_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Successful Atlassian Confluence Improper Authentication Validation Exploitation Attempt (CVE-2023-22518)"; flow:established,to_client; http.stat_code; content:"200"; http.response_body; content:"The|20|zip|20|file|20|did|20|not|20|contain|20|an|20|entry"; fast_pattern; nocase; flowbits:isset,ET.CVE-2023-22518.req; reference:cve,2023-22518; classtype:attempted-admin; sid:2049097; rev:1; metadata:affected_product Atlassian_Confluence, attack_target Server, created_at 2023_11_06, cve CVE_2023_22518, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2023_11_06, reviewed_at 2023_11_06, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) M3"; flow:established,to_server; urilen:32; http.method; content:"POST"; http.uri; content:"|2f|webui|2f|logoutconfirm|2e|html|3f|menu|3d|1"; fast_pattern; threshold:type limit,seconds 300,count 1,track by_src; reference:url,blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/; reference:cve,2023-20198; classtype:trojan-activity; sid:2049103; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_11_07, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_11_07;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request - User Creation (CVE-2023-46747)"; flow:established,to_server; app-layer-event:http.invalid_transfer_encoding_value_in_request; content:"|0d 0a 00 08|HTTP"; isdataat:!518,relative; content:"|00 12|/tmui/Control/form|00|"; nocase; distance:0; content:"form|5f|page|3d 25|2Ftmui|25|2Fsystem|25|2Fuser|25|2Fcreate|2e|jsp"; fast_pattern; distance:0; nocase; http.method; content:"POST"; http.uri; content:"/tmui/"; startswith; reference:url,my.f5.com/manage/s/article/K000137353; reference:url,www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/; reference:cve,2023-46747; classtype:attempted-admin; sid:2049058; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_11_03, cve CVE_2023_46747, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_11_09, reviewed_at 2023_11_09; target:dest_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT SpringShell/Spring4Shell RCE Attempt (CVE-2022-22965)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".jsp?pwd=j&cmd=id"; endswith; fast_pattern; http.request_body; content:"class.module.classLoader.resources.context.parent.pipeline"; reference:url,unit42.paloaltonetworks.com/cve-2022-22965-springshell/; reference:cve,2022-22965; classtype:attempted-admin; sid:2049150; rev:1; metadata:affected_product Spring_Framework, attack_target Client_Endpoint, created_at 2023_11_10, cve CVE_2022_22965, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CVE_2022_22965, tag CISA_KEV, updated_at 2023_11_10;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible SysAid Traversal Attack (CVE-2023-47246)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"accountid="; fast_pattern; nocase; pcre:"/^[^&]+\x2e(?:\x2e|\x2f)/Ri"; reference:url,www.huntress.com/blog/critical-vulnerability-sysaid-cve-2023-47246; reference:url,profero.io/posts/sysaidonpremvulnerability/; reference:url,swww.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification; reference:cve,2023-47246; classtype:attempted-admin; sid:2049147; rev:2; metadata:attack_target Web_Server, created_at 2023_11_10, cve CVE_2023_47246, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_11_27, reviewed_at 2024_03_18; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SysAid Traversal Attack (CVE-2023-47246)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/userentry?accountId="; nocase; fast_pattern; pcre:"/^[^&]+\x2e(?:\x2e|\x2f)/Ri"; http.request_body; content:"|78 9c|"; startswith; reference:url,www.huntress.com/blog/critical-vulnerability-sysaid-cve-2023-47246; reference:url,profero.io/posts/sysaidonpremvulnerability/; reference:url,swww.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification; reference:cve,2023-47246; classtype:attempted-admin; sid:2049295; rev:1; metadata:attack_target Web_Server, created_at 2023_11_27, cve CVE_2023_47246, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2023_11_29; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Successful Apache ActiveMQ Remote Code Execution (CVE-2023-46604)"; flow:established,to_client; xbits:isset,ET.CVE-2023-46604.attempt, track ip_dst; http.response_body; content:"|3c|bean"; content:"|22|java|2e|lang|2e|ProcessBuilder|22|"; nocase; fast_pattern; distance:0; content:"init|2d|method|3d 22|start|22|"; within:100; content:"constructor|2d|arg"; distance:0; reference:url,attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604; reference:url,activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt; reference:url,github.com/X1r0z/ActiveMQ-RCE; reference:cve,2023-46604; classtype:successful-admin; sid:2049385; rev:1; metadata:attack_target Server, created_at 2023_11_29, cve CVE_2023_46604, deployment Perimeter, performance_impact Low, confidence High, signature_severity Critical, tag CISA_KEV, updated_at 2023_11_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert tcp any any -> $HOME_NET [61616:61617] (msg:"ET EXPLOIT Apache ActiveMQ Remote Code Execution Attempt (CVE-2023-46604)"; flow:established,to_server; xbits:set,ET.CVE-2023-46604.attempt, track ip_dst, expire 300; stream_size:server,<,500; content:"|01 01|"; content:"org.springframework.context.support.ClassPathXmlApplicationContext|01|"; nocase; within:70; fast_pattern; content:"http"; within:10; content:"|3a 2f 2f|"; within:4; reference:url,attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604; reference:url,activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt; reference:url,github.com/X1r0z/ActiveMQ-RCE; reference:cve,2023-46604; classtype:attempted-admin; sid:2049045; rev:2; metadata:attack_target Server, created_at 2023_11_02, cve CVE_2023_46604, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2023_11_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Suspected WordPress Plugin Royal Elementor RCE (CVE-2023-5360)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wp-admin/admin-ajax.php"; endswith; http.content_type; content:"multipart/form-data|3b 20|boundary="; startswith; http.request_body; content:"form-data|3b 20|name=|22|wpr_addons_nonce|22|"; fast_pattern; content:"form-data|3b 20|name=|22|max_file_size|22|"; distance:0; content:"form-data|3b 20|name=|22|allowed_file_types|22|"; distance:0; content:"form-data|3b 20|name=|22|triggering_event|22|"; distance:0; content:"form-data|3b 20|name=|22|uploaded_file|22 3b 20|"; distance:0; reference:url,nvd.nist.gov/vuln/detail/CVE-2023-5360; reference:cve,2023-5360; classtype:attempted-admin; sid:2049627; rev:1; metadata:attack_target Web_Server, created_at 2023_12_08, cve CVE_2023_5360, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_12_08; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sophos Web Appliance Pre-Auth Command Injection Attempt (CVE-2023-1671)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|index|2e|php|3f|c|3d|blocked|26|action|3d|continue"; bsize:36; http.request_body; content:"args_reason=filetypewarn&url="; startswith; fast_pattern; content:"&filetype="; content:"&user_encoded="; reference:url,sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce; classtype:attempted-admin; sid:2049632; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_12_11, cve CVE_2023_1671, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag cve_2023_1671, tag CISA_KEV, updated_at 2023_12_11, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible VMWare NSX Manager Remote Code Execution Exploit Attempt (CVE-2021-39144)"; flow:established,to_server; http.request_line; content:"PUT|20|/api/2.0/services/usermgmt/password/"; startswith; reference:url,srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html; reference:cve,2021-39144; classtype:attempted-admin; sid:2039596; rev:3; metadata:affected_product VMware, attack_target Server, created_at 2022_10_28, cve CVE_2021_39144, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2023_12_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Possible Google Cookie Token Manipulation Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/oauth/multilogin"; startswith; http.host; content:"accounts.google.com"; bsize:19; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header; content:"Authorization|3a 20|MultiBearer|20|"; http.header_names; content:"|0d 0a|Accept|0d 0a|"; content:!"Referer"; reference:url,www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking; reference:url,medium.com/@DeputyDog/breaking-through-the-infostealer-exploit-and-the-enigma-of-cookie-restoration-e03e6e3cda50; classtype:attempted-admin; sid:2049906; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_01_04, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, updated_at 2024_01_04; target:src_ip;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Inbound Setup Message from SMTP Smuggling Tool"; flow:established,to_client; content:"From|3a 20|setup|5f|check|40|"; nocase; content:"To|3a 20|"; nocase; distance:0; content:"Subject|3a 20|SETUP|20|CHECK"; nocase; distance:0; content:"Date|3a 20|"; nocase; distance:0; content:"Message|2d|ID|3a 20|"; nocase; distance:0; content:"Your setup seems to be working! You can now proceed with smuggling tests!"; fast_pattern; nocase; distance:0; reference:cve,2023-51764; reference:url,github.com/The-Login/SMTP-Smuggling-Tools/blob/main/smtp_smuggling_scanner.py; reference:cve,2023-51766; reference:cve,2023-51765; classtype:trojan-activity; sid:2049923; rev:1; metadata:attack_target Client_Endpoint, created_at 2024_01_05, cve CVE_2023_51765, deployment Perimeter, confidence High, signature_severity Critical, tag Exploit, updated_at 2024_01_05;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Atlassian Confluence RCE Attempt Observed (CVE-2023-22527) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".vm"; endswith; http.request_body; content:".KEY_velocity.struts2"; fast_pattern; content:"|7b|"; distance:0; content:"|7d|"; distance:0; reference:cve,2023-22527; classtype:attempted-admin; sid:2050340; rev:1; metadata:affected_product Atlassian_Confluence, attack_target Server, created_at 2024_01_23, cve CVE_2023_22527, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_01_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert smtp any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Malicious x-sharing-config-url SMTP header observed (CVE-2023-35636)"; flow:established,to_server; content:"Content-Class|3a 20|Sharing"; nocase; content:"x-sharing-config-url|3a 20|\\"; fast_pattern; nocase; content:".ics"; within:50; reference:url,www.varonis.com/blog/outlook-vulnerability-new-ways-to-leak-ntlm-hashes; reference:cve,2023-35636; classtype:credential-theft; sid:2050433; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, created_at 2024_01_24, cve CVE_2023_35636, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, updated_at 2024_01_24; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Jenkins Unauthenticated RCE Attempt Observed (CVE-2024-23897)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cli?remoting="; startswith; fast_pattern; http.request_body; content:"|00|"; within:30; content:"@"; distance:0; within:10; reference:cve,2024-23897; classtype:attempted-admin; sid:2050517; rev:1; metadata:affected_product Jenkins, attack_target Server, created_at 2024_01_29, cve CVE_2024_23897, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Citrix ADC and NetScaler Gateway Information Disclosure Attempt (CVE-2023-4966)"; flow:established,to_server; flowbits:set,ET.CVE-2023-4966.LeakAttempt; http.uri; content:"/oauth/rp/.well-known/openid-configuration"; fast_pattern; http.host; bsize:>2000; reference:url,www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966; reference:cve,2023-4966; classtype:attempted-admin; sid:2048931; rev:2; metadata:affected_product Citrix, attack_target Web_Server, created_at 2023_10_29, cve CVE_2023_4966, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_01_31, reviewed_at 2023_10_29, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request (CVE-2023-46747)"; flow:established,to_server; app-layer-event:http.invalid_transfer_encoding_value_in_request; content:"|0d 0a 00 08|HTTP"; isdataat:!518,relative; content:"/tmui/"; nocase; distance:0; http.method; content:"POST"; http.uri; content:"/tmui/"; startswith; fast_pattern; reference:url,my.f5.com/manage/s/article/K000137353; reference:url,www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/; reference:cve,2023-46747; classtype:attempted-admin; sid:2049057; rev:4; metadata:attack_target Networking_Equipment, created_at 2023_11_03, cve CVE_2023_46747, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_01_31, reviewed_at 2023_11_09; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Related Command Injection Attempt Inbound (CVE-2013-7471)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/soap.cgi?service=WANIPConn1"; bsize:28; fast_pattern; http.request_body; content:"|60|"; content:"|60|"; distance:0; reference:cve,2013-7471; reference:url,nvd.nist.gov/vuln/detail/cve-2013-7471; classtype:attempted-admin; sid:2039833; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_11_23, cve CVE_2013_7471, deployment Perimeter, confidence High, signature_severity Major, updated_at 2024_01_31, reviewed_at 2024_10_15, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Inbound Smuggling Message from SMTP Smuggling Tool M1"; flow:established,to_client; content:"From|3a 20|test|40|"; nocase; content:"To|3a 20|"; nocase; distance:0; content:"Subject|3a 20|CHECK|20|EMAIL"; nocase; distance:0; content:"Date|3a 20|"; nocase; distance:0; content:"Message|2d|ID|3a 20|"; nocase; distance:0; content:"TESTING"; nocase; distance:0; content:"as|20 22|fake|22 20|end|2d|of|2d|data|20|sequence|21|"; fast_pattern; nocase; distance:0; reference:cve,2023-51764; reference:url,github.com/The-Login/SMTP-Smuggling-Tools/blob/main/smtp_smuggling_scanner.py; reference:cve,2023-51766; reference:cve,2023-51765; classtype:trojan-activity; sid:2049924; rev:2; metadata:attack_target Client_Endpoint, created_at 2024_01_05, cve CVE_2023_51765, deployment Perimeter, confidence High, signature_severity Critical, tag Exploit, updated_at 2024_01_31;)

alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Inbound Smuggling Message from SMTP Smuggling Tool M2"; flow:established,to_client; content:"From|3a 20|smuggled|40|"; nocase; content:"To|3a 20|"; nocase; distance:0; content:"Subject|3a 20|SMUGGLED|20|EMAIL"; nocase; distance:0; content:"Date|3a 20|"; nocase; distance:0; content:"Message|2d|ID|3a 20|"; nocase; distance:0; content:"SMUGGLING WORKS with"; nocase; distance:0; content:"as|20 22|fake|22 20|end|2d|of|2d|data|20|sequence|21|"; fast_pattern; nocase; distance:0; reference:cve,2023-51764; reference:url,github.com/The-Login/SMTP-Smuggling-Tools/blob/main/smtp_smuggling_scanner.py; reference:cve,2023-51766; reference:cve,2023-51765; classtype:trojan-activity; sid:2049925; rev:2; metadata:attack_target Client_Endpoint, created_at 2024_01_05, cve CVE_2023_51766, deployment Perimeter, confidence High, signature_severity Critical, tag Exploit, updated_at 2024_01_31;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Java Exploit Attempt Request for hostile binary"; flow:established,to_server; http.uri; content:".php?height="; content:"&sid="; content:"&width="; pcre:"/\/[a-z0-9]{30,}\.php\?height=\d+&sid=\d+&width=[a-z0-9]+&/"; http.user_agent; content:"Java/"; classtype:trojan-activity; sid:2012644; rev:4; metadata:created_at 2011_04_06, signature_severity Major, updated_at 2024_02_06;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Dadong Java Exploit Requested"; flow:established,to_server; http.uri; content:"/Gondad.jpg"; nocase; http.user_agent; content:"Java/"; classtype:bad-unknown; sid:2014319; rev:3; metadata:created_at 2012_03_06, signature_severity Major, updated_at 2024_02_08;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Likely Generic Java Exploit Attempt Request for Java to decimal host"; flow:established,to_server; http.user_agent; content:"Java/1"; http.host; pcre:"/^\d{8,10}$/"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013487; rev:7; metadata:created_at 2011_08_30, confidence Medium, signature_severity Major, updated_at 2024_02_08;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; http.uri; content:".id"; fast_pattern; http.user_agent; content:"Java/"; http.host; pcre:"/^\d{4,}[^A-Za-z\.]/"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:6; metadata:created_at 2011_04_04, signature_severity Major, updated_at 2024_02_17;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; http.uri; pcre:"/^\/[0-9]$/"; http.user_agent; content:"Java/1"; fast_pattern; classtype:trojan-activity; sid:2014959; rev:3; metadata:created_at 2012_06_26, signature_severity Major, updated_at 2024_02_17;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; http.uri; content:".jar"; fast_pattern; endswith; pcre:"/^\/[a-z]{13,14}\.jar$/"; http.user_agent; content:" Java/1"; classtype:trojan-activity; sid:2014969; rev:3; metadata:created_at 2012_06_26, confidence Medium, signature_severity Major, updated_at 2024_02_17;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; http.uri; content:"/gotit.php?"; fast_pattern; http.user_agent; content:"Java/1"; classtype:trojan-activity; sid:2015030; rev:4; metadata:created_at 2012_07_07, signature_severity Major, updated_at 2024_02_19;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; http.uri; content:".class"; endswith; fast_pattern; http.host; pcre:"/^\d{4,}[^A-Za-z\.]/"; http.user_agent; content:"Java/"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:7; metadata:created_at 2011_03_31, signature_severity Major, updated_at 2024_02_20;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Fredcot campaign php5-cgi initial exploit"; flow:established,to_server; http.user_agent; content:"Mobile/10A5355d"; http.request_body; content:"<?php"; startswith; content:"fredcot"; fast_pattern; http.header_names; content:!"|0d 0a|Accept"; content:!"|0d 0a|Referer|0d 0a|"; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; classtype:web-application-attack; sid:2017663; rev:3; metadata:created_at 2013_11_05, signature_severity Major, updated_at 2024_02_20;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2024-25600 Bricks Exploitation Attempt"; flow:established,to_server; http.request_line; content:"POST|20 2f|wp|2d|json|2f|bricks|2f|v1|2f|render|5f|element|20|"; fast_pattern; http.request_body; content:"postId"; content:"nonce"; content:"useQueryEditor"; content:"queryEditor"; reference:url,github.com/Chocapikk/CVE-2024-25600/; reference:cve,2024-25600; classtype:misc-attack; sid:2051020; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Client_Endpoint, tls_state TLSEncrypt, created_at 2024_02_21, cve CVE_2024_25600, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Wordpress, updated_at 2024_02_22, reviewed_at 2024_11_06;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT FlashPack Flash Exploit Nov 20 2014"; flow:established,to_server; http.uri; content:"/Main.swf"; fast_pattern; http.referer; content:"/gate.php"; endswith; classtype:trojan-activity; sid:2019766; rev:4; metadata:created_at 2014_11_21, signature_severity Major, updated_at 2024_02_23;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Magnitude Flash Exploit (IE)"; flow:established,to_server; urilen:31<>69; http.uri; pcre:"/^\/\??[a-f0-9]{32}(?:\/[a-f0-9]{32})?\/?$/"; http.header_names; content:"|0d 0a|x-flash-version|0d 0a|"; fast_pattern; http.host; pcre:"/^(?:\.*[a-f0-9]\.*){32}\./m"; classtype:exploit-kit; sid:2019799; rev:4; metadata:created_at 2014_11_25, signature_severity Major, updated_at 2024_02_23;)

#alert http $HOME_NET any -> $EXTERNAL_NET !80 (msg:"ET EXPLOIT Possible Sweet Orange CVE-2014-6332 Payload Request"; flow:established,to_server; flowbits:set,et.SweetOrangeURI; urilen:>50; http.uri; content:".php?"; pcre:"/^\/[a-z\_\-]{4,10}\.php\?(?:[a-z\_\-]{0,10}=\d+?&){3,}[a-z\_\-]{4,10}=-?[a-z0-9]+$/"; http.user_agent; content:"WinHttp.WinHttpRequest"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; classtype:exploit-kit; sid:2019752; rev:10; metadata:created_at 2014_11_20, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_02_27;)

#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT 2Wire Password Reset Vulnerability via POST"; flow:established,to_server; http.uri; content:"/xslt"; http.request_body; content:"PAGE=H04_POST&THISPAGE=H04&NEXTPAGE="; fast_pattern; content:"&PASSWORD="; distance:0; content:"&PASSWORD_CONF="; distance:0; reference:url,www.seguridad.unam.mx/doc/?ap=articulo&id=196; reference:url,packetstormsecurity.org/files/view/102614/2wire-reset.rb.txt; classtype:attempted-admin; sid:2013166; rev:3; metadata:created_at 2011_07_01, signature_severity Major, updated_at 2024_03_05;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible BSNL Router DNS Change Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dnscfg.cgi"; fast_pattern; http.request_body; content:"dnsPrimary="; content:"&dnsSecondary="; content:"&dnsDynamic="; content:"&dnsRefresh="; reference:url,www.hackersbay.in/2011/02/pwning-routersbsnl.html; classtype:attempted-user; sid:2013918; rev:4; metadata:created_at 2011_11_18, confidence Medium, signature_severity Major, updated_at 2024_03_05;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT D-Link bsc_wlan.php Security Bypass"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/bsc_wlan.php"; nocase; http.request_body; content:"ACTION_POST=final&"; nocase; content:"&f_ssid="; nocase; content:"&f_authentication=7&"; nocase; within:135; content:"f_cipher=2&"; nocase; content:"f_wep_len=&f_wep_format=&f_wep_def_key=&"; nocase; within:40; content:"&f_wep=&f_wpa_psk_type=1&f_wpa_psk="; nocase; content:"&f_radius_ip1=&f_radius_port1=&f_radius_secret1="; fast_pattern; nocase; within:70; reference:url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt; classtype:web-application-attack; sid:2012103; rev:6; metadata:created_at 2010_12_27, signature_severity Major, updated_at 2024_03_05;)

#alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Neosploit Exploit Pack Activity Observed"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; pcre:"/\.(php|asp|py|exe|htm|html)\/[joewxy](U[0-9a-f]{8})?H[0-9a-f]{8}V[0-9a-f]{8}\d{3}R[0-9a-f]{8}\d{3}T[0-9a-f]{8,}/"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; nocase; content:!"|0d 0a|Referer|0d 0a|"; nocase; reference:url,blog.fireeye.com/research/2010/01/pdf-obfuscation.html; reference:url,blog.fireeye.com/research/2010/06/neosploit_notes.html; reference:url,dxp2532.blogspot.com/2007/12/neosploit-exploit-toolkit.html; classtype:attempted-user; sid:2011583; rev:6; metadata:created_at 2010_10_02, signature_severity Major, updated_at 2024_03_07;)

#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT GuppY error.php POST Arbitrary Remote Code Execution"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/error.php?"; nocase; content:"err="; nocase; http.cookie; content:"REMOTE_ADDR="; fast_pattern; startswith; reference:bugtraq,15609; classtype:web-application-attack; sid:2003332; rev:6; metadata:created_at 2010_07_30, confidence Medium, signature_severity Major, updated_at 2024_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M2 (Serialized PHP in UA)"; flow:established,to_server; http.user_agent; content:"O|3a|"; fast_pattern; pcre:"/^\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/R"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022263; rev:5; metadata:created_at 2015_12_15, confidence Medium, signature_severity Major, updated_at 2024_03_11;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE (JDatabaseDriverMysqli)"; flow:established,to_server; http.user_agent; content:"JDatabaseDriverMysqli"; fast_pattern; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022261; rev:5; metadata:created_at 2015_12_14, confidence Medium, signature_severity Major, updated_at 2024_03_12;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Junos OS - Unauthenticated Arbitrary File Upload Attempt (CVE-2023-36851)"; flow:established,to_server; flowbits:set,ET.CVE-2023-36851; http.method; content:"POST"; http.uri; content:"/webauth_operation.php"; fast_pattern; http.request_body; content:"rs=do_upload"; nocase; content:"rsargs"; nocase; content:"fileName"; nocase; content:"fileData"; nocase; content:"csize"; nocase; reference:url,supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution; reference:url,labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/; reference:cve,2023-36846; reference:cve,2023-36847; classtype:attempted-admin; sid:2047867; rev:2; metadata:affected_product JunOS, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2023_09_01, cve CVE_2023_36851, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_12, reviewed_at 2023_09_01; target:dest_ip;)

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET EXPLOIT Junos OS - Successful Unauthenticated Arbitrary File Upload Attempt (CVE-2023-36851)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-36851; http.stat_code; content:"200"; http.response_body; content:"|22|converted_fileName|22|"; fast_pattern; content:"0|3a 20|"; distance:0; content:"|22|original_fileName|22|"; reference:url,supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution; reference:url,labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/; reference:cve,2023-36846; reference:cve,2023-36847; classtype:successful-admin; sid:2047868; rev:2; metadata:affected_product JunOS, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2023_09_01, cve CVE_2023_36851, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_12, reviewed_at 2023_09_01; target:src_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET 8004 (msg:"ET EXPLOIT Symantec Scan Engine Request Password Hash"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/xml.xml"; fast_pattern; nocase; http.request_body; content:"<request"; nocase; content:"<key "; nocase; reference:cve,2006-0230; reference:bugtraq,17637; classtype:attempted-recon; sid:2002896; rev:8; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2024_03_13;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Viessmann Vitogate 300 Command Injection Attempt (CVE-2023-5702)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/vitogate.cgi"; fast_pattern; http.content_type; content:"application/json"; http.request_body; content:"|7b 22|method|22 3a 20 22|put|22 2c 20 22|form|22 3a 20 22|"; startswith; content:"|22 2c 20 22|session|22 3a 20 22|"; within:60; content:"|22 2c 20 22|params|22 3a 20 7b 22|ipaddr|22 3a 20 22|"; within:60; content:"|3b|"; within:50; content:"|22 7d 7d|"; endswith; reference:cve,2023-5702; reference:url,www.exploit-db.com/exploits/51887; classtype:attempted-admin; sid:2051666; rev:1; metadata:affected_product Viessmann_Vitogate, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_03_15, cve CVE_2023_5702, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_03_15, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)

alert tcp any any -> $HOME_NET 23 (msg:"ET EXPLOIT Possible Uniview IPC2322lb updatecpld Restricted Shell Bypass Attempt"; flow:established,to_server; content:"User|40 2f|"; content:">updatecpld "; nocase; within:30; fast_pattern; reference:url,ssd-disclosure.com/ssd-advisory-uniview-ipc2322lb-auth-bypass-and-cli-escape/; classtype:bad-unknown; sid:2051785; rev:1; metadata:affected_product IoT, attack_target IoT, tls_state plaintext, created_at 2024_03_25, deployment Perimeter, confidence Low, signature_severity Major, updated_at 2024_03_25; target:dest_ip;)

alert smtp any any -> [$SMTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT RoundCube Webmail Persistent XSS Attempt (CVE-2023-43770)"; flow:established,to_server; content:"|0d 0a 0d 0a|"; content:"[<script>"; distance:0; content:"</script>]"; distance:0; fast_pattern; reference:cve,2023-43770; classtype:attempted-user; sid:2051827; rev:1; metadata:attack_target Networking_Equipment, created_at 2024_03_28, cve CVE_2023_43770, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_03_28;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Root Command Injection (Unix)"; flow:established,to_server; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; http.request_body; content:"|7b 22|action|22 3a 22|uninstall|22 2c 22|name|22 3a 22|--pre-invoke="; content:"|5c 5c|x73|5c 5c|x68"; distance:0; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026028; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, signature_severity Major, updated_at 2024_04_06, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> any [$HTTP_PORTS,7547] (msg:"ET EXPLOIT Possible Misfortune Cookie - SET"; flow:established,to_server; content:"Cookie|3a| C"; nocase; pcre:"/^[0-9][^=]/R"; flowbits:set,ET.Misfortune_Cookie; flowbits:noalert; reference:url,mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf; classtype:trojan-activity; sid:2020100; rev:3; metadata:created_at 2015_01_06, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2024_04_08;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M3"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022935; rev:3; metadata:created_at 2016_06_30, deprecation_reason Relevance, confidence Medium, signature_severity Major, updated_at 2024_04_11, reviewed_at 2024_04_11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M4"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|57 44 56 50 49 56 41 6c 51 45 46 51 57 7a 52 63 55 46 70 59 4e 54 51 6f 55 46 34 70 4e 30 4e 44 4b 54 64 39 4a 45 56 4a 51 30 46 53|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022936; rev:3; metadata:created_at 2016_06_30, deprecation_reason Relevance, confidence Medium, signature_severity Major, updated_at 2024_04_11, reviewed_at 2024_04_11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toclient M3"; flow:established,to_client; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022937; rev:3; metadata:created_at 2016_06_30, deprecation_reason Relevance, confidence Medium, signature_severity Major, updated_at 2024_04_11, reviewed_at 2024_04_11;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Symantec Malicious MIME Doc Name Overflow (EICAR) toserver M4"; flow:established,to_server; content:"Content-Type|3a 20|"; nocase; content:"name"; nocase; isdataat:78,relative; pcre:"/^\s*=\s*[\x22\x27][^\x22\x27\r\n]{78}/R"; content:"|58 35 4f 21 50 25 40 41 50 5b 34 5c 50 5a 58 35 34 28 50 5e 29 37 43 43 29 37 7d 24 45 49 43 41 52 2d|"; reference:url,bugs.chromium.org/p/project-zero/issues/detail?id=823&q=; classtype:attempted-admin; sid:2022938; rev:3; metadata:created_at 2016_06_30, deprecation_reason Relevance, confidence Medium, signature_severity Major, updated_at 2024_04_11, reviewed_at 2024_04_11;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Elasticsearch CVE-2015-1427 Exploit Campaign SSL Certificate"; flow:established,to_client; tls.cert_subject; content:"ST="; distance:0; content:"hacked"; content:"|01 09 01|"; distance:0; content:"hackking@126.com"; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021351; rev:3; metadata:attack_target Client_Endpoint, created_at 2015_06_26, cve CVE_2015_1427, deployment Perimeter, confidence Medium, signature_severity Major, tag SSL_Malicious_Cert, tag CISA_KEV, updated_at 2024_04_12;)

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [ConnectWise CRU] Java ECDSA (Psychic) TLS Signature (CVE-2022-21449)"; flow:established,to_client; tls.certs; content:"|04 03 00 08 30 06 02 01 00 02 01 00|"; tag:session,5,packets; reference:url,github.com/thack1/CVE-2022-21449; reference:cve,2022-21449; classtype:targeted-activity; sid:2036377; rev:2; metadata:created_at 2022_04_26, cve CVE_2022_21449, confidence High, signature_severity Major, updated_at 2024_04_25;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Selenium Server Chrome 3.141.59 Remote Code Execution"; flow:established,to_server; flowbits:set,ET.Selenium314159.RCE; urilen:15; http.method; content:"POST"; http.uri; content:"/wd/hub/session"; fast_pattern; http.request_body; content:"|22|goog|3a|chromeOptions|22|"; content:"|22|binary|22|"; content:"|22|args|22|"; content:"|5b 22|"; within:5; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:attempted-admin; sid:2052319; rev:2; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_01, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_05_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Selenium Server Grid Chrome 3.141.59 Remote Code Execution - Successful"; flow:established,to_client; flowbits:isset,ET.Selenium314159.RCE; http.stat_code; content:"500"; http.server; content:"Jetty"; startswith; file.data; content:"org|2e|openqa|2e|selenium|2e|WebDriverException|3a 20|unknown|20|error|3a 20|Chrome|20|failed|20|to|20|start|3a 20|exited|20|normally|2e|"; content:"unknown|20|error|3a 20|DevToolsActivePort|20|file|20|doesn|27|t|20|exist|29 5c|n|20 20 28|The|20|process|20|started|20|from|20|chrome|20|location"; fast_pattern; reference:url,github.com/BoredHackerBlog/selenium_code_exec_notes; classtype:successful-admin; sid:2052359; rev:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_05_02, deployment Perimeter, deployment Internal, confidence High, signature_severity Critical, updated_at 2024_05_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:src_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190)"; flow:from_server,established; file.data; bsize:>4095; content:"ms|2d|msdt|3a 2f|"; nocase; content:"|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|Windows|2f|System32|2f|mpsigstub|2e|exe"; distance:700; fast_pattern; reference:cve,2022-30190; reference:md5,783f850d06c9f1286eb9b1bda0af0bce; classtype:attempted-user; sid:2037083; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_06_22, cve CVE_2022_30190, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_05_07, reviewed_at 2024_05_07;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow:established,to_server; content:"|3b|"; content:"|2d 00 2d 00|"; distance:0; fast_pattern; content:"|27 00|"; distance:0; reference:url,owasp.org/index.php/SQL_Injection; classtype:attempted-user; sid:2000488; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2024_05_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DIR-X4860 RCE Attempt Inbound"; flow:established,to_server; http.request_body; content:"<soap|3a|"; content:"<SetVirtualServer"; fast_pattern; content:"<LocalIPAddress>"; pcre:"/^[^<]+\x3b/R"; http.header_names; content:"|0d 0a|HNAP_AUTH|0d 0a|"; classtype:attempted-admin; sid:2052820; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, created_at 2024_05_22, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_05_22;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M1 (CVE-2022-21587)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/OA_HTML/BneUploaderService"; startswith; fast_pattern; content:"bne:uueupload=TRUE"; reference:url,blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/; reference:cve,2022-21587; classtype:attempted-admin; sid:2044010; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_01_27, cve CVE_2022_21587, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22, reviewed_at 2024_12_11;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Korenix JetWave formSysCmd Command Injection Attempt (CVE-2016-20017)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/formSysCmd"; fast_pattern; http.request_body; content:"sysCmd="; reference:url,www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; reference:cve,2016-20017; classtype:attempted-admin; sid:2049120; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_11_08, cve CVE_2016_20017, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DSL-2750B Command Injection Attempt (CVE-2016-20017)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/login.cgi?cli="; fast_pattern; http.uri.raw; content:"?cli="; content:"%27"; distance:0; reference:url,www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; reference:cve,2016-20017; classtype:attempted-admin; sid:2049119; rev:2; metadata:affected_product D_Link, attack_target Networking_Equipment, created_at 2023_11_08, cve CVE_2016_20017, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link DIR-825 R1 Web Interface RCE (CVE-2020-29557)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check_browser?lang="; nocase; fast_pattern; isdataat:100,relative; reference:url,shaqed.github.io/dlink/; reference:cve,2020-29557; classtype:attempted-admin; sid:2034280; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_10_28, cve CVE_2020_29557, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link TRENDnet NCC Service Command Injection Attempt (CVE-2015-1187)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cpp"; endswith; http.request_body; content:"&ping_addr=|24 28|"; fast_pattern; reference:url,www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; reference:cve,2015-1187; classtype:attempted-admin; sid:2049118; rev:2; metadata:affected_product D_Link, attack_target Networking_Equipment, created_at 2023_11_08, cve CVE_2015_1187, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22, reviewed_at 2023_11_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Attempted IDSVSE IP Camera RCE"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ctrl.cgi?language=ie&sntpip="; startswith; content:"uname"; distance:0; content:"telnet"; distance:0; content:"&timezone="; content:"&timezone=13&setdaylight=0&timeformat=2&tstampformat=2"; reference:url,en.0day.today/exploit/27569; classtype:attempted-admin; sid:2034480; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_11_17, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_05_22;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Totolink Command Injection Attempt (CVE-2020-40475)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloadFile.cgi?payload="; fast_pattern; content:"|60|"; distance:0; reference:url,www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; reference:cve,2020-40475; classtype:attempted-admin; sid:2049121; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_11_08, cve CVE_2020_40475, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_05_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M2 (CVE-2022-21587)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/OA_HTML/BneViewerXMLService"; startswith; fast_pattern; content:"bne:uueupload=TRUE"; reference:url,blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/; reference:cve,2022-21587; classtype:attempted-admin; sid:2044011; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_01_27, cve CVE_2022_21587, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22, reviewed_at 2024_12_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M3 (CVE-2022-21587)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/OA_HTML/BneDownloadService"; startswith; fast_pattern; content:"bne:uueupload=TRUE"; reference:url,blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/; reference:cve,2022-21587; classtype:attempted-admin; sid:2044012; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_01_27, cve CVE_2022_21587, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22, reviewed_at 2024_12_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenTSDB RCE in HTTP Request M1 (CVE-2023-25826)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|q|3f|"; fast_pattern; startswith; content:"start="; distance:0; content:"&m="; content:"|3a|"; distance:0; content:"&o="; content:"&key="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/UR"; content:"&wxh="; content:"&json"; endswith; reference:cve,2023-25826; reference:url,synopsys.com/blogs/software-security/opentsdb.html; reference:url,opentsdb.net/docs/build/html/user_guide/guis/index.html; reference:url,packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html; classtype:trojan-activity; sid:2052823; rev:1; metadata:affected_product OpenTSDB, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_05_22, cve CVE_2023_25826, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_05_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenTSDB RCE in HTTP Request M2 (CVE-2023-25826)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|q|3f|"; fast_pattern; startswith; content:"start="; distance:0; content:"&m="; content:"|3a|"; distance:0; content:"&o="; content:"&wxh="; content:"&style="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/UR"; content:"&json"; endswith; reference:cve,2023-25826; reference:url,synopsys.com/blogs/software-security/opentsdb.html; reference:url,opentsdb.net/docs/build/html/user_guide/guis/index.html; reference:url,packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html; classtype:trojan-activity; sid:2052824; rev:1; metadata:affected_product OpenTSDB, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_05_22, cve CVE_2023_25826, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_05_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenTSDB RCE in HTTP Request M3 (CVE-2023-25826)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|q|3f|"; fast_pattern; startswith; content:"start="; distance:0; content:"&m="; content:"|3a|"; distance:0; content:"&o="; content:"&wxh="; content:"&smooth="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/UR"; content:"&json"; endswith; reference:cve,2023-25826; reference:url,synopsys.com/blogs/software-security/opentsdb.html; reference:url,opentsdb.net/docs/build/html/user_guide/guis/index.html; reference:url,packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html; classtype:trojan-activity; sid:2052825; rev:1; metadata:affected_product OpenTSDB, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_05_22, cve CVE_2023_25826, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_05_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Oracle E-Business RCE Attempt Inbound M4 (CVE-2022-21587)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/OA_HTML/BneOfflineLOVService"; startswith; fast_pattern; content:"bne:uueupload=TRUE"; reference:url,blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/; reference:cve,2022-21587; classtype:attempted-admin; sid:2044013; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_01_27, cve CVE_2022_21587, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_05_22, reviewed_at 2024_12_11;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenTSDB RCE in HTTP Request M1 (CVE-2023-25827)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|q|3f|"; fast_pattern; startswith; content:"start="; distance:0; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/UR"; content:"&m="; content:"|3a|"; distance:0; content:"&o="; content:"&key="; content:"&wxh="; content:"&json"; endswith; reference:cve,2023-25827; reference:url,synopsys.com/blogs/software-security/opentsdb.html; reference:url,opentsdb.net/docs/build/html/user_guide/guis/index.html; reference:url,packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html; classtype:trojan-activity; sid:2052826; rev:1; metadata:affected_product OpenTSDB, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_05_22, cve CVE_2023_25827, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_05_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> $HOME_NET 7900 (msg:"ET EXPLOIT Fortinet FortiSIEM Unauthenticated Command Injection CVE-2024-23108"; flow:established,to_server; content:"|51 00 00 00|"; startswith; content:"<mount_point"; nocase; fast_pattern; pcre:"/^\b[^>]*>[^\x3b<]+\x3b[^<]+<\/mount_point>/Rsi"; reference:url,horizon3.ai/attack-research/cve-2024-23108-fortinet-fortisiem-2nd-order-command-injection-deep-dive/; reference:cve,2024-23108; classtype:misc-attack; sid:2052889; rev:1; metadata:attack_target Server, created_at 2024_05_28, cve CVE_2024_23108, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_05_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-LINK Router DIR-645 / DIR-815 RCE (CVE-2014-100005)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/diagnostic.php"; fast_pattern; endswith; http.request_body; content:"act=ping"; content:"dst="; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; reference:cve,2014-100005; reference:url,raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb; classtype:attempted-admin; sid:2052885; rev:2; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_05_24, cve CVE_2014_100005, deployment Perimeter, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_05_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> $HOME_NET 7900 (msg:"ET EXPLOIT Fortinet FortiSIEM Unauthenticated Command Injection CVE-2023-34992"; flow:established,to_server; content:"|51 00 00 00|"; startswith; content:"<server_ip"; nocase; fast_pattern; pcre:"/^[^>]*>[^\x3b<]+\x3b[^<]+<\/server_ip>/Rsi"; reference:url,horizon3.ai/attack-research/cve-2023-34992-fortinet-fortisiem-command-injection-deep-dive/; reference:cve,2023-34992; classtype:misc-attack; sid:2052888; rev:2; metadata:attack_target Server, created_at 2024_05_28, cve CVE_2023_34992, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_05_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT HikVision iSecure Center RCE Attempt Inbound"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/applyAutoLoginTicket"; endswith; fast_pattern; http.header_names; content:"|0d 0a|cmd|0d 0a|"; nocase; classtype:attempted-admin; sid:2053329; rev:1; metadata:affected_product HikVision, attack_target Server, created_at 2024_06_07, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PHP-Live-Chat Get Shell Attempt Inbound"; flow:established,to_server; urilen:35; http.method; content:"POST"; http.uri; content:"|2f|php|2f|app|2e|php|3f|mobile|2d|operator|2d|create"; http.request_body; content:"roles=OPERATOR&name="; startswith; fast_pattern; content:"&mail="; content:"&password="; reference:url,github.com/wy876/POC/tree/main; classtype:attempted-admin; sid:2053401; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, tls_state plaintext, created_at 2024_06_10, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_10;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Hongjing eHR Showmedia.jsp SQL Injection Inbound"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|train|2f|resource|2f|course|2f|showmedia|2e|jsp|3f|a|5f|code|26|r5100|3d|"; startswith; fast_pattern; reference:url,github.com/Co5mos/nuclei-tps/blob/main/http/vulnerabilities/hjsoft/hjsoft-ehr-showmedia-sqli.yaml; classtype:attempted-admin; sid:2053409; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_06_10, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NextGen Mirth Connect <4.4.1 RCE Attempt (CVE-2023-43208)"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/api/users"; http.content_type; content:"application/xml"; nocase; http.request_body; content:"|20 20 3c|string|3e|"; startswith; content:"|3c|iMethodName|3e|getMethod|3c 2f|iMethodName|3e|"; content:"|3c|string|3e|getRuntime|3c 2f|string|3e|"; content:"|3c|iMethodName|3e|invoke|3c 2f|iMethodName|3e 0d 0a|"; fast_pattern; reference:cve,2023-43208; reference:url,horizon3.ai/attack-research/attack-blogs/writeup-for-cve-2023-43208-nextgen-mirth-connect-pre-auth-rce/; classtype:attempted-admin; sid:2053410; rev:1; metadata:attack_target Server, created_at 2024_06_10, cve CVE_2023_43208, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UFIDA PLM getWorkGroups Unauthorized Information Access Attempt"; flow:established,to_server; urilen:24; http.method; content:"POST"; http.uri; content:"/services/MessageService"; http.request_body; content:"|3c|soapenv|3a|"; startswith; content:"xmlns|3a|mes|3d 22|MessageService|22 3e|"; fast_pattern; content:"|3c|mes|3a|getWorkGroups|2f 3e|"; reference:url,github.com/wy876/POC/blob/main/%E7%94%A8%E5%8F%8B%E6%99%BA%E7%9F%B3%E5%BC%80PLM-getWorkGroups%E5%AD%98%E5%9C%A8%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md; classtype:attempted-admin; sid:2053442; rev:1; metadata:attack_target Server, created_at 2024_06_11, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Low, signature_severity Major, tag Exploit, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Zhibang International ERP System SQL Injection Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|SYSN|2f|json|2f|pcclient|2f|GetPersonalSealData|2e|ashx|3f|imageDate|3d|1|26|userId|3d|"; startswith; fast_pattern; pcre:"/(?:SELECT|UPDATE|DELETE|INSERT|CREATE|ALTER|DROP)/Ri"; reference:url,github.com/wy876/POC/blob/main/%E6%99%BA%E9%82%A6%E5%9B%BD%E9%99%85ERP-GetPersonalSealData.ashx%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md; classtype:attempted-admin; sid:2053444; rev:1; metadata:attack_target Server, created_at 2024_06_11, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ZhongCheng Kexin Ticket Management System SQLi Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"ReserveTicketManagerPlane|2e|ashx"; endswith; fast_pattern; http.request_body; content:"Method=GetGuideByCode&inputType=20&codeValue="; startswith; pcre:"/(?:SELECT|UPDATE|DELETE|INSERT|CREATE|ALTER|DROP|--|DELAY)/Ri"; reference:url,github.com/wy876/POC/blob/main/%E4%B8%AD%E6%88%90%E7%A7%91%E4%BF%A1%E7%A5%A8%E5%8A%A1%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9FReserveTicketManagerPlane.ashx%E5%AD%98%E5%9C%A8SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.md; classtype:attempted-admin; sid:2053445; rev:1; metadata:attack_target Server, created_at 2024_06_11, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT JEPaaS Development Platform File Upload Authentication Bypass"; flow:established,to_server; urilen:32; http.method; content:"POST"; http.uri; content:"|2f|je|2f|document|2f|file|3f|bucket|3d|webroot"; fast_pattern; http.header; content:"|0d 0a|internalRequestKey|3a 20|schedule|5f|"; http.request_body; content:"name=|22|"; content:"filename="; reference:url,github.com/wy876/POC/blob/main/%E7%94%B5%E4%BF%A1%E7%BD%91%E5%85%B3%E9%85%8D%E7%BD%AE%E7%AE%A1%E7%90%86%E5%90%8E%E5%8F%B0rewrite.php%E6%8E%A5%E5%8F%A3%E5%AD%98%E5%9C%A8%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md; classtype:attempted-admin; sid:2053447; rev:1; metadata:created_at 2024_06_11, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Telerik Deserialization Attempt - POST to Vulnerable Path with Specific Extension (CVE-2024-1800)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/reportserver/report"; endswith; fast_pattern; http.request_body; content:"|22|reportName|22|"; content:"|22|reportContent|22|"; content:"|22|extension|22|"; pcre:"/^[^\x22]+\x22\.tr(d|b)p\x22/Ri"; reference:cve,2024-1800; classtype:attempted-admin; sid:2053448; rev:1; metadata:attack_target Server, created_at 2024_06_11, cve CVE_2024_1800, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Telerik Auth Bypass Attempt - Account Creation from External Host (CVE-2024-4358)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/Report/Index"; endswith; fast_pattern; http.request_body; content:"|22|Username|22|"; content:"|22|Password|22|"; content:"|22|ConfirmPassword|22|"; reference:cve,2024-4358; classtype:attempted-admin; sid:2053453; rev:1; metadata:attack_target Server, created_at 2024_06_11, cve CVE_2024_4358, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Dahua DSS Security Management Platform Attempted Privilege Escalation"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:37; content:"|2f|admin|2f|cascade|5f 2f|user|5f|edit|2e|action|3f|id|3d|1"; fast_pattern; reference:url,github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8E%E5%9F%8E%E5%B8%82%E5%AE%89%E9%98%B2%E7%9B%91%E6%8E%A7%E7%B3%BB%E7%BB%9F%E5%B9%B3%E5%8F%B0%E7%AE%A1%E7%90%86%E5%AD%98%E5%9C%A8user_edit.action%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md; classtype:attempted-admin; sid:2053477; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2024_06_12, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Telecommunications Gateway Configuration Management System Unauthenticated File Upload"; flow:established,to_server; urilen:38; http.method; content:"POST"; http.uri; content:"|2f|manager|2f|teletext|2f|material|2f|rewrite|2e|php"; fast_pattern; http.content_type; content:"multipart/form-data"; startswith; http.request_body; content:"name=|22|"; content:"filename=|22|"; content:"Content|2d|Type|3a 20|image|2f|png|0d 0a 0d 0a 3c 3f|php|20|system|28 22|"; reference:url,github.com/wy876/POC/blob/main/%E5%A4%A7%E5%8D%8E%E5%9F%8E%E5%B8%82%E5%AE%89%E9%98%B2%E7%9B%91%E6%8E%A7%E7%B3%BB%E7%BB%9F%E5%B9%B3%E5%8F%B0%E7%AE%A1%E7%90%86%E5%AD%98%E5%9C%A8user_edit.action%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E.md; classtype:attempted-admin; sid:2053478; rev:1; metadata:attack_target Server, created_at 2024_06_12, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT HikVision Arbitrary Directory Traversal Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/orgManage/v1/orgs/download?fileName="; fast_pattern; pcre:"/^(\x2e{1,2}\x2f)/Ri"; reference:url,github.com/wy876/POC/blob/main/%E6%B5%B7%E5%BA%B7%E5%A8%81%E8%A7%86%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2download%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md; classtype:attempted-recon; sid:2053704; rev:1; metadata:affected_product HikVision, created_at 2024_06_17, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_06_18, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT [TW] Possible MSXMLHTTP Request"; flow:established,to_server; flowbits:set,TW.MS.MSIE7; flowbits:noalert; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT"; depth:45; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Cookie|0d 0a|"; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2053705; rev:1; metadata:attack_target Client_and_Server, created_at 2024_06_17, deployment Perimeter, deprecation_reason Performance, performance_impact Significant, confidence Low, signature_severity Informational, updated_at 2024_06_18; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT [TW] EXPLOIT Possible MMC Remote Command Execution"; flow:established,to_client; flowbits:isset,TW.MS.MSIE7; http.stat_code; content:"200"; http.response_body; content:"<script"; nocase; content:"external.ExecuteShellCommand"; nocase; fast_pattern; distance:0; reference:md5,b510f48b9ac735a197093ad5fb99b0ee; classtype:bad-unknown; sid:2053706; rev:1; metadata:attack_target Client_and_Server, tls_state TLSEncrypt, created_at 2024_06_17, deployment Perimeter, deprecation_reason Performance, performance_impact Moderate, confidence Low, signature_severity Major, updated_at 2024_06_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Adobe ColdFusion Deserialization of Untrusted Data (CVE-2023-26360) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; nocase; content:"method="; nocase; content:"_cfclient=true"; nocase; fast_pattern; http.request_body; content:"_variables="; nocase; content:"_variables"; distance:0; content:"_metadata"; content:"classname"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/adobe_coldfusion_rce_cve_2023_26360.rb; reference:url,www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a; reference:cve,2023-26360; reference:url,attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis; classtype:attempted-user; sid:2049471; rev:2; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_05, cve CVE_2023_26360, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SugarCRM Auth Bypass Attempt 2022-12-31"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; content:"PHPSESSID|3d|"; startswith; pcre:"/^PHPSESSID\x3d[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}$/"; http.request_body; content:"module=Users"; nocase; content:"action=Authenticate"; nocase; content:"user_name=1"; nocase; content:"user_password=1"; nocase; fast_pattern; reference:url,packetstormsecurity.com/files/170346/SugarCRM-Shell-Upload.html; reference:url,sugarclub.sugarcrm.com/dev-club/f/questions-answers/6123/exploit-for-sugarcrm-shell-upload; classtype:trojan-activity; sid:2043272; rev:2; metadata:affected_product SugarCRM, attack_target Server, created_at 2023_01_11, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Adobe ColdFusion Deserialization of Untrusted Data (CVE-2023-26360) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; nocase; content:"method="; nocase; content:"_cfclient=true"; nocase; fast_pattern; http.request_body; content:"_variables="; nocase; content:"cfexecute"; nocase; content:"name"; nocase; distance:0; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/adobe_coldfusion_rce_cve_2023_26360.rb; reference:url,www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a; reference:cve,2023-26360; reference:url,attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis; classtype:attempted-user; sid:2049472; rev:2; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_05, cve CVE_2023_26360, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Archeevo 5.0 - Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/error?StatusCode=404&file="; fast_pattern; content:!"~/FileNotFoundPage.html"; within:23; reference:url,www.exploit-db.com/exploits/50665; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,miguelsantareno.github.io/MoD_1.pdf; classtype:attempted-admin; sid:2036740; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Server, created_at 2022_06_01, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ownCloud Information Disclosure Attempt (CVE-2023-49103)"; flow:established,to_server; flowbits:set,ET.CVE-2023-49103.request; http.uri; content:"/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php"; fast_pattern; reference:url,www.labs.greynoise.io//grimoire/2023-11-29-owncloud-redux/; reference:url,owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/; reference:cve,2023-49103; reference:url,www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/; classtype:attempted-recon; sid:2049614; rev:2; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49103, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Adobe ColdFusion Deserialization of Untrusted Data (CVE-2023-26360) M3"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cfc?"; nocase; content:"method="; nocase; content:"_cfclient=true"; nocase; fast_pattern; http.request_body; content:"_variables="; nocase; content:"cffile"; nocase; content:"action"; nocase; within:100; content:"write"; within:20; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/adobe_coldfusion_rce_cve_2023_26360.rb; reference:url,www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a; reference:cve,2023-26360; reference:url,attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis; classtype:attempted-user; sid:2049473; rev:2; metadata:affected_product Adobe_Coldfusion, attack_target Server, created_at 2023_12_05, cve CVE_2023_26360, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT WS_FTP Reflected XSS Payload Observed M1 (CVE-2022-27665)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WtmApiService.asmx/GetFileSubTree"; http.request_body; content:"|22|subFolderPath|22 3a 22 7b 7b|"; fast_pattern; reference:cve,2022-27665; reference:url,github.com/dievus/CVE-2022-27665; classtype:attempted-admin; sid:2048317; rev:2; metadata:affected_product WS_FTP, attack_target Server, created_at 2023_09_28, cve CVE_2022_27665, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, reviewed_at 2023_09_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M2"; flow:established,to_client; flowbits:isset,ET.CVE-2023-49103.request; http.stat_code; content:"200"; http.response_body; content:"OWNCLOUD_ADMIN_"; fast_pattern; reference:url,www.labs.greynoise.io//grimoire/2023-11-29-owncloud-redux/; reference:url,owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/; reference:cve,2023-49103; reference:url,www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/; classtype:successful-recon-limited; sid:2049616; rev:3; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49103, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M2"; flow:established,to_server; http.request_line; content:"POST /apisix/batch-requests HTTP/1.1"; fast_pattern; http.request_body; content:"X-Real-IP"; nocase; content:"api_key=edd1c9f034335f136f87ad84b625c8f1"; distance:0; content:"script"; reference:cve,2022-24112; classtype:attempted-admin; sid:2035273; rev:3; metadata:created_at 2022_02_22, cve CVE_2022_24112, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA SSRF Pattern (CVE-2024-21893)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana-ws/"; fast_pattern; content:".ws"; http.request_body; content:"<soap|3a|"; content:"|3a|RetrievalMethod|20|URI=|22|"; distance:0; reference:url,attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis; reference:cve,2024-21893; classtype:attempted-admin; sid:2050699; rev:2; metadata:affected_product Ivanti, attack_target Server, created_at 2024_02_02, cve CVE_2024_21893, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Fuel CMS 1.4.1 RCE (CVE-2018-16763)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fuel/pages/select/"; fast_pattern; content:"filter=|27 2b|"; content:"|2b 27|"; distance:0; reference:url,github.com/daylightstudio/FUEL-CMS/issues/478; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2018-16763; classtype:attempted-admin; sid:2036748; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2018_16763, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M1"; flow:established,to_client; flowbits:isset,ET.CVE-2023-49103.request; http.stat_code; content:"200"; http.response_body; content:"phpinfo|28 29|"; fast_pattern; reference:url,www.labs.greynoise.io//grimoire/2023-11-29-owncloud-redux/; reference:url,owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/; reference:cve,2023-49103; reference:url,www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/; classtype:successful-recon-limited; sid:2049615; rev:3; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49103, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Ivanti Connect Secure (9.x,22.x) / Ivanti Policy Secure (9.x,22.x) / Ivanti Neurons for ZTA Command Injection via SSRF (CVE-2024-21887)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana-ws/"; fast_pattern; content:".ws"; http.request_body; content:"<soap|3a|"; content:"|3a|RetrievalMethod|20|URI=|22|"; distance:0; pcre:"/^[^\x22]+(?:\x3b|%3[Bb])/R"; reference:url,attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis; reference:cve,2024-21887; classtype:attempted-admin; sid:2050700; rev:2; metadata:affected_product Ivanti, attack_target Server, created_at 2024_02_02, cve CVE_2024_21887, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Atlassian Confluence RCE Attempt Observed (CVE-2023-22527) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".vm"; endswith; http.request_body; content:".KEY_velocity.struts2"; fast_pattern; content:"%7b"; distance:0; content:"%7d"; distance:0; reference:cve,2023-22527; classtype:attempted-admin; sid:2050543; rev:2; metadata:affected_product Atlassian_Confluence, attack_target Server, created_at 2024_01_29, cve CVE_2023_22527, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> any any (msg:"ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zhnping.cmd?"; fast_pattern; content:"test=ping"; content:"sessionKey="; content:"ipAddr="; pcre:"/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,www.exploit-db.com/exploits/38453; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2014-9118; classtype:attempted-admin; sid:2036749; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2014_9118, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-49105.request; http.response_body; content:"xmlns|3a|oc|3d 22|http|3a 2f 2f|owncloud|2e|org|2f|ns|22 3e|"; content:"|3c|d|3a|href|3e 2f|remote|2e|php|2f|"; fast_pattern; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:successful-admin; sid:2049618; rev:3; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49105, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT WordPress Plugin cab-fare-calculator 1.0.3 - Local File Inclusion"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cab-fare-calculator/"; fast_pattern; content:"controller=|2e 2e 2f|"; distance:0; reference:url,www.exploit-db.com/exploits/50843; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; classtype:attempted-admin; sid:2036739; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Server, created_at 2022_06_01, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_server; flowbits:set,ET.CVE-2023-49105.request; http.method; content:!"OPTIONS"; http.uri; content:"/remote.php/dav"; fast_pattern; content:"OC-Credential="; nocase; content:"OC-Verb="; nocase; content:"OC-Expires="; nocase; content:"OC-Date="; nocase; content:"OC-Signature="; nocase; pcre:"/^[a-f0-9]{64}(?:&|$)/R"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:attempted-admin; sid:2049617; rev:2; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49105, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache APISIX Admin API Authentication Bypass (CVE-2022-24112) M1"; flow:established,to_server; http.request_line; content:"POST /apisix/batch-requests HTTP/1.1"; fast_pattern; http.request_body; content:"X-Real-IP"; nocase; content:"api_key=edd1c9f034335f136f87ad84b625c8f1"; distance:0; content:"filter_func"; reference:cve,2022-24112; classtype:attempted-admin; sid:2035272; rev:3; metadata:created_at 2022_02_22, cve CVE_2022_24112, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SugarCRM PHP Shell Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index.php"; http.cookie; content:"PHPSESSID|3d|"; startswith; pcre:"/^PHPSESSID\x3d[0-9a-f]{8}\b-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-\b[0-9a-f]{12}$/"; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|module|22 0d 0a 0d 0a|EmailTemplates|0d 0a|"; nocase; fast_pattern; content:"|0d 0a|Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|action|22 0d 0a 0d 0a|AttachFiles|0d 0a|"; nocase; content:"|89 50 4e 47 0d 0a 1a 0a|"; distance:0; content:"<?php"; distance:0; reference:url,packetstormsecurity.com/files/170346/SugarCRM-Shell-Upload.html; reference:url,sugarclub.sugarcrm.com/dev-club/f/questions-answers/6123/exploit-for-sugarcrm-shell-upload; classtype:attempted-user; sid:2043273; rev:2; metadata:affected_product SugarCRM, attack_target Server, created_at 2023_01_11, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> any any (msg:"ET EXPLOIT Zhone ZNID GPON 2426A < S3.0.501 RCE (CVE-2014-9118) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/zhnping.cmd?"; fast_pattern; content:"test=traceroute"; content:"sessionKey="; content:"ipAddr="; pcre:"/^[a-z0-9\.]+(?:[\x60\x3b\x7c\x26]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/Ri"; reference:url,www.exploit-db.com/exploits/38453; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:cve,2014-9118; classtype:attempted-admin; sid:2036750; rev:2; metadata:attack_target Server, created_at 2022_06_02, cve CVE_2014_9118, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MoveIT Transfer SFTP Authentication Bypass Attempt Inbound M0 (CVE-2024-5806)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/guestaccess.aspx"; fast_pattern; http.request_body; content:"&Arg12="; pcre:"/^\r?\n?\x2d{4}/R"; reference:cve,2024-5806; reference:url,labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/; classtype:attempted-admin; sid:2053883; rev:1; metadata:created_at 2024_06_26, cve CVE_2024_5806, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_06_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MoveIT Transfer SFTP Authentication Bypass Attempt Inbound M1 (CVE-2024-5806)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/guestaccess.aspx"; fast_pattern; http.request_body; content:"&Arg12="; content:"PuTTY-User-Key-File"; within:50; reference:cve,2024-5806; reference:url,labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-moveit-transfer-cve-2024-5806/; classtype:attempted-admin; sid:2053884; rev:1; metadata:created_at 2024_06_26, cve CVE_2024_5806, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_06_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TerraMaster TOS RCE via OS Command Injection Inbound (CVE-2020-28188)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|php|3f|Event|3d|"; fast_pattern; pcre:"/^(?:\x3b|\x0a|\x26|\x60|\x7C|\x24)/R"; content:"wget"; distance:0; content:!"oast.fun"; http.header_names; content:!"Referer"; threshold:type limit, seconds 600, count 5, track by_src; reference:url,research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet; classtype:attempted-admin; sid:2034200; rev:5; metadata:affected_product Web_Server_Applications, attack_target Server, created_at 2021_10_15, cve CVE_2020_28188, deployment Perimeter, deprecation_reason Relevance, confidence High, signature_severity Major, updated_at 2024_06_26, reviewed_at 2024_06_26, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Kingdee Cloud Star Deserialization Vulnerability"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"Kingdee"; content:".UserService."; distance:0; http.content_type; content:"text/json"; http.header_names; content:"|0d 0a|cmd|0d 0a|"; fast_pattern; http.request_body; content:"|22|ap0|22 3a 22|"; reference:url,github.com/wy876/POC/blob/main/%E9%87%91%E8%9D%B6%E4%BA%91%E6%98%9F%E7%A9%BAUserService%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%E6%BC%8F%E6%B4%9E.md; reference:url,gksec.com/K3cloud_rce.html; classtype:trojan-activity; sid:2054074; rev:1; metadata:affected_product Kingdee_Cloud, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_06_26, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2024_06_26;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Splunk Unauthenticated Path Traversal Attempt Inbound (CVE-2024-36991)"; flow:established,to_server; http.uri; content:"/modules/messaging"; fast_pattern; pcre:"/^\/([A-Z]:\.(\.?(\/\/?|\\\\?))){2,}/Ri"; reference:cve,2024-36991; classtype:attempted-admin; sid:2054410; rev:1; metadata:affected_product Splunk, created_at 2024_07_09, cve CVE_2024_36991, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_07_09, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Rejetto HTTP File Server Unauthenticated RCE Attempt (CVE-2024-23692)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/?search=%"; fast_pattern; content:"|7d 7b 2e|"; reference:cve,2024-23692; reference:url,github.com/jakabakos/CVE-2024-23692-RCE-in-Rejetto-HFS/blob/master/exploit.py; classtype:attempted-admin; sid:2054424; rev:1; metadata:attack_target Server, created_at 2024_07_10, cve CVE_2024_23692, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_07_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert udp any any -> $HOME_NET 427 (msg:"ET EXPLOIT OpenBMC slpd-lite Language Tag Length Memory Corruption Attempt (CVE-2024-41660)"; content:"|02 09 00 00 00 ff 00 00 00 00 00 00 00|"; startswith; fast_pattern; pcre:"/^(\xff\xff|\xfd\xe8)/R"; reference:url,www.tetrelsec.com/posts/cve-2024-41660-slpd-lite/; reference:cve,2024-41660; classtype:attempted-admin; sid:2055309; rev:1; metadata:affected_product OpenBMC, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_08_16, cve CVE_2024_41660, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_08_16; target:dest_ip;)

alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Cisco Smart Software Manager On-Prem (SSM On-Prem) Unauthenticated Password Change Attempt (CVE-2024-20419)"; flow:established,to_server; flowbits:set,ET.CVE-2024-20419.request; urilen:37; http.method; content:"POST"; http.uri; content:"/backend/reset_password/generate_code"; fast_pattern; http.cookie; content:"XSRF|2d|TOKEN|3d|"; startswith; http.content_type; content:"application/json"; startswith; threshold: type limit, count 1, seconds 600, track by_src; reference:cve,2024-20419; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-20419; reference:url,sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy; classtype:attempted-admin; sid:2056148; rev:1; metadata:affected_product Cisco_IOS, created_at 2024_09_24, cve CVE_2024_20419, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CVE_2024_20419, updated_at 2024_09_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT .NET Remoting SoapServerFormatterSink ObjRef Leak (CVE-2024-29059)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/RemoteApplicationMetadata.rem?wsdl"; fast_pattern; endswith; http.header; content:"__RequestVerb|3a 20|POST"; http.content_type; content:"text|2f|xml"; reference:url,code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/; reference:cve,2024-29059; classtype:web-application-attack; sid:2056204; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_09_26, cve CVE_2024_29059, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_09_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT .NET Remoting BinaryServerFormatterSink ObjRef Leak (CVE-2024-29059)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/RemoteApplicationMetadata.rem?wsdl"; fast_pattern; endswith; http.header; content:"__RequestVerb|3a 20|POST"; http.content_type; content:"application|2f|octet-stream"; reference:url,code-white.com/blog/leaking-objrefs-to-exploit-http-dotnet-remoting/; reference:cve,2024-29059; classtype:web-application-attack; sid:2056205; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_09_26, cve CVE_2024_29059, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_09_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Veeam Backup & Replication Cloud Connect RCE Attempt Inbound (CVE-2023-27532)"; flow:established,to_server; content:"<RemoteInvokeSpec"; content:"<DbGetDataTable"; content:"<SqlCommand>"; content:"xp_cmdshell"; fast_pattern; reference:cve,2023-27532; classtype:attempted-admin; sid:2056209; rev:1; metadata:attack_target Server, created_at 2024_09_26, cve CVE_2023_27532, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_09_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Microsoft Office Spoofing to HTTP Redirect Inbound (CVE-2024-38200)"; flow:established,to_client; http.content_type; pcre:"/^(?:application\x2fjavascript|text\x2fhtml)$/"; http.response_body; content:"|7c|u|7c|http"; fast_pattern; pcre:"/ms-(?:word|powerpoint|excel|visio|access|project|publisher|spd|infopath)\x3a(?:of(?:e|v)|nft)\x7cu\x7chttps?\x3a\x2f{2}/i"; content:!"|2e|office|2e|net|2f|"; reference:url,github.com/passtheticket/CVE-2024-38200; reference:cve,2024-38200; classtype:bad-unknown; sid:2056375; rev:1; metadata:affected_product MS_Office, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_10_01, cve CVE_2024_38200, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_01; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT glibc iconv Abitrary File Read RCE (CVE-2024-2961)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"php%3a%2f%2ffilter%2fread%3d"; nocase; pcre:"/^(?:(?:convert\x2e(?:quoted-printable-(?:en|de)code|iconv(?:\x2e[a-z0-9_-]+){2}|base64-(?:de|en)code)|zlib\x2e(?:(?:in|de)flate)|string\x2e(?:(?:to(?:upp|low)er)|rot13|strip_tags)|dechunk|consumed)(?:\x7c|\x2f)?)+/R"; content:"|2e|ISO-2022-CN-EXT%7c"; fast_pattern; nocase; content:"%2fresource%3d"; nocase; distance:0; reference:url,www.ambionics.io/blog/iconv-cve-2024-2961-p1; reference:cve,2024-2961; classtype:web-application-attack; sid:2056446; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_03, cve CVE_2024_2961, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Solarwinds Serv-U Directory Traversal Attempt Inbound (CVE-2024-28995)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/?InternalDir="; fast_pattern; pcre:"/^.{0,10}(?:\x2f|\x5c|%5[Cc]|%2[Ff])?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; content:"&InternalFile="; reference:url,www.labs.greynoise.io/grimoire/2024-06-solarwinds-serv-u/; reference:cve,2024-28995; classtype:attempted-admin; sid:2053801; rev:2; metadata:affected_product SolarWinds, created_at 2024_06_23, cve CVE_2024_28995, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_10_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT PHP Arbitrary Object Instantiation - ImageMagick MSL File Descriptor RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"Imagick"; content:"text|3a|fd|3a|"; fast_pattern; http.request_body; content:"|2e|msl"; content:"|3c|read|20|"; content:"|3c|write|20|"; reference:url,swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/; classtype:web-application-attack; sid:2056501; rev:1; metadata:affected_product PHP, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_07, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT PHP Arbitrary Object Instantiation RCE - ImageMagick MSL VID Scheme"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"Imagick"; content:"vid|3a|msl|3a 2f|"; fast_pattern; http.request_body; content:"|2e|msl"; content:"|3c|read|20|"; content:"|3c|write|20|"; reference:url,swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/; classtype:web-application-attack; sid:2056526; rev:1; metadata:affected_product PHP, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_07, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Ivanti Cloud Services Appliance Path Traversal Exploit Attempt (CVE-2024-8963)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|client|2f|index|2e|php|3f 2e|php|2f|gsb|2f|"; startswith; fast_pattern; content:"|2e|php"; endswith; reference:cve,2024-8190; reference:url,fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa; reference:url,forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190; classtype:attempted-admin; sid:2056685; rev:1; metadata:affected_product Ivanti, created_at 2024_10_15, cve CVE_2024_8963, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_10_15, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert tcp any any -> $HOME_NET 541 (msg:"ET EXPLOIT Fortinet FGFM Arbitrary Code Execution via Externally-Controlled Format String (CVE-2024-23113)"; flow:established,to_server; content:"|36 e0 11 00|"; startswith; content:"reply|20|200|0d 0a|"; fast_pattern; distance:4; content:"request|3d|auth|0d 0a|"; pcre:"/\x0d\x0a(authip|fmg_fqdn|mgmtip)\x3d[^\x0d\x0a]*?(?:\x25(?:(?:d|ul?|x|s|c|h?(?:n|p))|\d|\x2a|\x2e|\x5c?\x24)+)+/"; reference:url,labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/; reference:cve,2024-23113; classtype:attempted-admin; sid:2056730; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_10_18, cve CVE_2024_23113, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_10_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Trenda Router AC11 RCE Inbound (CVE-2021-31755)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/goform/setmac"; fast_pattern; http.request_body; content:"&mac="; reference:url,www.fortinet.com/blog/threat-research/the-ghosts-of-mirai; reference:url,github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-31755.yaml; reference:cve,2021-31755; classtype:attempted-admin; sid:2033284; rev:4; metadata:attack_target Networking_Equipment, tls_state plaintext, created_at 2021_07_08, cve CVE_2021_31755, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT PTZOptics PT30X Authentication Bypass Attempt Inbound (CVE-2024-8956)"; flow:established,to_server; flowbits:set,ET.2024.8956; urilen:<43; http.uri; content:"|2f|cgi|2d|bin|2f|param|2e|cgi|3f|"; startswith; fast_pattern; pcre:"/^(?:(?:get\x5fnetwork\x5fconf)|(?:get\x5fsystem\x5fconf)|(?:get\x5fnetport\x5fconf)|(?:post\x5fnetwork\x5fother\x5fconf))$/R"; http.header_names; content:!"|0d 0a|authorization|0d 0a|"; nocase; reference:cve,2024-8956; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-8956; reference:url,labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce; classtype:attempted-admin; sid:2057216; rev:1; metadata:affected_product IP_Camera, created_at 2024_11_04, cve CVE_2024_8956, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert tcp any any -> $HOME_NET 541 (msg:"ET EXPLOIT Fortinet FortiManager Unauthenticated Get File Transfer Handle"; flow:established,to_server; flowbits:set,ET.FMFG_CVE-2024-47575; content:"|36 e0 11 00|"; startswith; content:"get file_exchange|0d 0a|"; fast_pattern; distance:4; reference:url,labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/; classtype:attempted-admin; sid:2057690; rev:1; metadata:affected_product FortiManager, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_18, cve CVE_2024_47575, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert tcp $HOME_NET 541 -> any any (msg:"ET EXPLOIT Fortinet FortiManager File Transfer Handle Response"; flow:established,to_client; flowbits:isset,ET.FMFG_CVE-2024-47575; content:"|36 e0 11 00|"; startswith; content:"action|3d|ack"; fast_pattern; distance:4; content:"localid|3d|"; content:"remoteid|3d|"; reference:url,labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/; classtype:attempted-admin; sid:2057691; rev:1; metadata:affected_product FortiManager, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_18, cve CVE_2024_47575, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert tcp any any -> $HOME_NET 541 (msg:"ET EXPLOIT Fortinet FortiManager Unauthenticated Remote Code Execution (CVE-2024-47575) M1"; flow:established,to_server; content:"|36 e0 11 00|"; startswith; content:"channel|0d 0a|"; distance:4; content:"remoteid|3d|"; content:"/som/export"; fast_pattern; content:"|22|file|22 3a|"; pcre:"/^.*?[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:url,labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-23113-cve-2024-47575/; reference:cve,2024-47575; classtype:attempted-admin; sid:2057692; rev:1; metadata:affected_product FortiManager, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_18, cve CVE_2024_47575, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp any any -> $HOME_NET 541 (msg:"ET EXPLOIT Fortinet FortiManager Unauthenticated Open Server-Side Channel"; flow:established,to_server; flowbits:set,ET.FMFG_CVE-2024-47575; content:"|36 e0 11 00|"; startswith; content:"get connect_tcp|0d 0a|"; fast_pattern; distance:4; content:"tcp_port|3d|rsh"; content:"cmd|3d 2f|bin|2f|sh"; content:"localid|3d|0"; reference:url,attackerkb.com/topics/OFBGprmpIE/cve-2024-47575/rapid7-analysis; classtype:attempted-admin; sid:2057693; rev:1; metadata:affected_product FortiManager, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_18, cve CVE_2024_47575, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert tcp any any -> $HOME_NET 541 (msg:"ET EXPLOIT Fortinet FortiManager Unauthenticated Remote Code Execution (CVE-2024-47575) M2"; flow:established,to_server; content:"|36 e0 11 00|"; startswith; content:"channel|0d 0a|"; fast_pattern; distance:4; content:"remoteid|3d|"; content:"|0d 0a 0d 0a 00|"; isdataat:1,relative; reference:url,attackerkb.com/topics/OFBGprmpIE/cve-2024-47575/rapid7-analysis; reference:cve,2024-47575; classtype:attempted-admin; sid:2057694; rev:1; metadata:affected_product FortiManager, attack_target Server, tls_state TLSDecrypt, created_at 2024_11_18, cve CVE_2024_47575, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Progress Kemp LoadMaster RCE Attempt Inbound (CVE-2024-1212)"; flow:established,to_server; http.header; content:"Authorization|3a 20|Basic|20|"; fast_pattern; base64_decode:offset 0,relative; base64_data; content:"|27 3b|"; reference:cve,2024-1212; classtype:bad-unknown; sid:2057720; rev:1; metadata:attack_target Server, created_at 2024_11_19, cve CVE_2024_1212, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_11_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT OpenTSDB RCE in HTTP Request M2 (CVE-2023-25827)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|q|3f|"; fast_pattern; startswith; content:"start="; distance:0; content:"&end="; pcre:"/^[^&]*?[\x3b\x0a\x26\x60\x7c\x24]/UR"; content:"&m="; content:"|3a|"; distance:0; content:"&o="; content:"&key="; content:"&wxh="; content:"&json"; endswith; reference:cve,2023-25827; reference:url,synopsys.com/blogs/software-security/opentsdb.html; reference:url,opentsdb.net/docs/build/html/user_guide/guis/index.html; reference:url,packetstormsecurity.com/files/174570/OpenTSDB-2.4.1-Unauthenticated-Command-Injection.html; classtype:trojan-activity; sid:2052827; rev:2; metadata:affected_product OpenTSDB, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_05_22, cve CVE_2023_25827, deployment Perimeter, confidence High, signature_severity Major, updated_at 2024_11_22, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Linksys E1500/E2500 Remote Command Execution 3"; flow:established,to_server; urilen:10; http.method; content:"POST"; http.uri; content:"/apply.cgi"; fast_pattern; http.request_body; content:"submit|5f|button|3d|index|26|action|3d|"; startswith; content:"|26|adj|5f|time|5f|year|3d 24 28|"; distance:0; reference:url,homesupport.cisco.com/de-eu/support/routers/E1500; reference:url,exploit-db.com/exploits/24936; classtype:attempted-admin; sid:2057809; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_11_25, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_11_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT phpMyAdmin 4.8.1 - Local File Inclusion"; flow:to_server,established; http.uri; content:"db_sql.php"; nocase; http.uri.raw; content:"|2e 2e 2f|"; classtype:web-application-attack; sid:2025734; rev:4; metadata:affected_product PHP, attack_target Server, created_at 2018_06_22, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT WordPress Plugin video-synchro-pdf 1.7.4 - Local File Inclusion"; flow:established,to_server; http.uri.raw; content:"/reglages/Menu_Plugins/"; fast_pattern; content:"|2e|php?p=|2e 2e 2f|"; distance:0; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; reference:url,www.exploit-db.com/exploits/50844; classtype:attempted-admin; sid:2036727; rev:2; metadata:affected_product Wordpress_Plugins, attack_target Server, created_at 2022_05_31, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DBltek GoIP GoIP-1 GSM Gateway - Local File Inclusion"; flow:established,to_server; http.uri; content:"/default/en_US/frame."; startswith; fast_pattern; content:"html?"; within:10; pcre:"/^\x2fdefault\x2fen_US\x2fframe(?:\x2eA100)?\x2ehtml\?(?:content|sidebar)=.*\x2e\x2e\x2f/i"; reference:url,shufflingbytes.com/posts/hacking-goip-gsm-gateway/; reference:url,www.exploit-db.com/exploits/50775; reference:url,cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers; classtype:attempted-admin; sid:2036729; rev:3; metadata:attack_target Server, created_at 2022_05_31, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag LFI, tag RFI, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1"; flow:established,to_server; http.uri; content:"/vid.aspx?id="; nocase; fast_pattern; pcre:"/^[a-zA-Z0-9]+$/Ri"; http.header_names; content:!"Cookie|0d 0a|"; reference:url,blogs.technet.com/b/srd/archive/2013/07/10/running-in-the-wild-not-for-so-long.aspx; classtype:attempted-user; sid:2017131; rev:8; metadata:attack_target Client_and_Server, created_at 2013_07_11, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT TAC Attack Directory Traversal"; flow:established,to_server; content:"/ISALogin.dll?"; http_uri; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; classtype:attempted-recon; sid:2002406; rev:6; metadata:created_at 2010_07_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET 8307 (msg:"ET EXPLOIT VMware 2 Web Server Directory Traversal"; flow:established,to_server; content:"|2f 2e 2e 2f 2e 2e 2f 2e 2e 2f|"; depth:60; reference:url,www.exploit-db.com/exploits/15617/; classtype:attempted-recon; sid:2012057; rev:3; metadata:created_at 2010_12_15, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP LaserJet PLJ Interface Directory Traversal"; flow:established,to_server; content:"|1b 25 2d|"; depth:3; content:"|20 28 29 20 50 4a 4c 20|"; within:25; content:"FSDIRLIST|20|NAME="; nocase; content:"|22|0|3a 5c 2e 2e 5c 2e 2e 5c 2e 2e|"; within:25; reference:url,www.exploit-db.com/exploits/15631/; reference:bugtraq,44882; reference:cve,2010-4107; classtype:misc-attack; sid:2012058; rev:3; metadata:created_at 2010_12_15, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Attempted Directory Traversal via HTTP Cookie (CVE-2020-9484)"; flow:established,to_server; http.cookie; content:"JSESSIONID=../"; startswith; fast_pattern; reference:url,github.com/masahiro331/CVE-2020-9484/blob/master/README.md; reference:cve,2020-9484; classtype:attempted-recon; sid:2030256; rev:2; metadata:affected_product Tomcat, created_at 2020_06_05, cve CVE_2020_9484, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT VMware Spring Cloud Directory Traversal (CVE-2020-5405)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/..%28_%29..%28_%29"; fast_pattern; reference:url,tanzu.vmware.com/security/cve-2020-5405; reference:cve,2020-5405; classtype:attempted-admin; sid:2030336; rev:2; metadata:affected_product VMware, created_at 2020_06_15, cve CVE_2020_5405, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT VMware Spring Cloud Directory Traversal (CVE-2020-5410)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/..%252F..%252F"; nocase; fast_pattern; reference:url,xz.aliyun.com/t/7877; reference:cve,2020-5410; classtype:attempted-admin; sid:2030337; rev:2; metadata:affected_product VMware, created_at 2020_06_15, cve CVE_2020_5410, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT SAP NetWeaver AS Directory Traversal Attempt Inbound (CVE-2020-6286)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<soapenv"; startswith; content:"<sessionID>"; distance:0; content:"../../../"; within:10; fast_pattern; reference:url,github.com/chipik/SAP_RECON/blob/master/RECON.py; reference:cve,2020-6286; classtype:attempted-user; sid:2030549; rev:3; metadata:created_at 2020_07_16, cve CVE_2020_6286, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Directory Traversal Inbound (CVE-2019-15980)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ReportWSService/ReportWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:">..|2f|..|2f|"; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15980; classtype:attempted-admin; sid:2033412; rev:2; metadata:created_at 2021_07_24, cve CVE_2019_15980, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT TIBCO JasperReports Directory Traversal Attempt (CVE-2018-18809)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/reportresource/reportresource/?"; pcre:"/^resource=net\/sf\/jasperreports\/\.\..+/RUi"; reference:cve,2018-18809; reference:url,security.elarlang.eu/cve-2018-18809-path-traversal-in-tibco-jaspersoft.html; classtype:web-application-attack; sid:2043228; rev:2; metadata:affected_product Web_Server_Applications, created_at 2023_01_05, cve CVE_2018_18809, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Sunlogin Sunflower Simplified 1.0.1.43315 Directory Traversal Attempt (CVE-2022-48323)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/check?cmd=ping../"; fast_pattern; startswith; http.cookie; content:"CID="; startswith; reference:url,www.tenable.com/cve/CVE-2022-48323; reference:cve,2022-48323; classtype:attempted-admin; sid:2044205; rev:2; metadata:created_at 2023_02_14, cve CVE_2022_48323, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT aiohttp Directory Traversal in Static Routing (CVE-2024-23334)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/static/"; fast_pattern; startswith; pcre:"/^[^\x26\x3f]*(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; http.header; content:!"Referer|0d 0a|"; reference:url,x.com/W01fh4cker/status/1762491210953060827; reference:cve,2024-23334; classtype:web-application-activity; sid:2056166; rev:3; metadata:created_at 2024_09_24, cve CVE_2024_23334, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; http.uri.raw; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100981; rev:16; metadata:created_at 2010_09_23, cve CVE_2000_0884, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100982; rev:13; metadata:created_at 2010_09_23, cve CVE_2000_0884, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; http.uri.raw; content:"/..%c1%9c../"; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100983; rev:21; metadata:created_at 2010_09_23, cve CVE_2000_0884, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT RealVNC Authentication Bypass Attempt"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:1; content:"|01|"; depth:1; flowbits:set,BSvnc.null.auth.sent; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; classtype:attempted-admin; sid:2002916; rev:7; metadata:created_at 2010_07_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT RealVNC Server Authentication Bypass Successful"; flowbits:isset,BSvnc.null.auth.sent; flow:established; dsize:4; content:"|00 00 00 00|"; depth:4; flowbits:unset,BSis.vnc.setup; flowbits:unset,BSvnc.auth.offered; reference:url,secunia.com/advisories/20107/; reference:url,archives.neohapsis.com/archives/fulldisclosure/2006-05/0356.html; reference:cve,2006-2369; classtype:successful-admin; sid:2002917; rev:7; metadata:created_at 2010_07_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linksys WRT54g Authentication Bypass Attempt"; flow:established,to_server; content:"/Security.tri"; http_uri; nocase; content:"SecurityMode=0"; nocase; reference:url,secunia.com/advisories/21372/; classtype:attempted-admin; sid:2003072; rev:6; metadata:created_at 2010_07_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Foxit PDF Reader Authentication Bypass Attempt"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"Type/Action"; distance:0; nocase; content:"Launch"; nocase; within:40; content:"NewWindow true"; nocase; distance:0; pcre:"/Type\x2FAction.+Launch.+\x28\x2F[a-z]\x2F[a-z].+NewWindow\x20true/si"; reference:url,www.coresecurity.com/content/foxit-reader-vulnerabilities#lref.4; reference:cve,2009-0836; classtype:attempted-user; sid:2010878; rev:8; metadata:created_at 2010_07_30, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"?images/"; pcre:"/(?:\/GponForm\/diag_FORM\?images\/|\.html\?images\/)/i"; http.request_body; content:"XWebPageName=diag&diag"; depth:22; fast_pattern; reference:url,www.vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:attempted-admin; sid:2027063; rev:3; metadata:created_at 2019_03_06, cve CVE_2018_10561, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Authentication Bypass - Session ID Assignment (set)"; flow:established,to_server; xbits:set,ET.IBMDRM1,track ip_dst, expire 10; noalert; http.method; content:"GET"; http.uri; content:"/albatross/saml/idpSelection"; startswith; fast_pattern; content:"id="; content:"userName="; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029986; rev:3; metadata:created_at 2020_04_21, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Authentication Bypass - Password Retrieval"; flow:established,to_server; xbits:isset,ET.IBMDRM1,track ip_dst; http.method; content:"POST"; http.uri; bsize:21; content:"/albatross/user/login"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; startswith; http.request_body; content:"name=|22|username|22 0d 0a|"; content:"name=|22|clientDetails|22 0d 0a|"; content:"name=|22|password|22 0d 0a|"; content:"name=|22|sessionId|22 0d 0a|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029987; rev:3; metadata:created_at 2020_04_21, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible IBM Data Risk Manager Authentication Bypass - Session ID Assignment"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/albatross/saml/idpSelection"; startswith; fast_pattern; content:"id="; content:"userName="; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029988; rev:3; metadata:created_at 2020_04_21, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible IBM Data Risk Manager Authentication Bypass - Password Retrieval"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/albatross/user/login"; fast_pattern; http.content_type; content:"multipart/form-data|3b 20|"; startswith; http.request_body; content:"name=|22|username|22 0d 0a|"; content:"name=|22|clientDetails|22 0d 0a|"; content:"name=|22|password|22 0d 0a|"; content:"name=|22|sessionId|22 0d 0a|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029989; rev:2; metadata:created_at 2020_04_21, deployment Perimeter, deployment Internal, deployment Datacenter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Complaint Management System 1.0 - Authentication Bypass Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"/Complaint%20Management%20System/admin/"; http.request_body; content:"username=%27%3D%27%27or%27&password="; startswith; fast_pattern; reference:url,www.exploit-db.com/exploits/48452; classtype:attempted-admin; sid:2030160; rev:2; metadata:created_at 2020_05_12, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Citrix Authentication Bypass Attempt Inbound (CVE-2020-8193)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"&sid=loginchallenge"; content:"&username=nsroot"; distance:0; fast_pattern; http.request_body; content:"<appfwprofile"; startswith; reference:url,research.nccgroup.com/2020/07/10/rift-citrix-adc-vulnerabilities-cve-2020-8193-cve-2020-8195-and-cve-2020-8196-intelligence/; reference:cve,2020-8193; classtype:attempted-admin; sid:2031067; rev:2; metadata:created_at 2020_10_21, cve CVE_2020_8193, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Ruckus vRIoT Authentication Bypass Attempt Inbound (CVE-2020-26879)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization|3a 20|OlDkR+oocZg="; fast_pattern; reference:url,adepts.of0x.cc/ruckus-vriot-rce/; reference:cve,2020-26879; classtype:attempted-admin; sid:2031115; rev:2; metadata:affected_product IoT, created_at 2020_10_26, cve CVE_2020_26879, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT TikiWiki CMS Authentication Bypass (Forced Blank Admin Pass) Attempt Inbound (CVE-2020-15906)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/tiki-login.php"; http.request_body; content:"&user=admin&pass=&"; fast_pattern; reference:url,github.com/S1lkys/CVE-2020-15906; reference:cve,2020-15906; classtype:attempted-admin; sid:2031130; rev:2; metadata:created_at 2020_10_27, cve CVE_2020_15906, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Data Center Network Manager Authentication Bypass Inbound (CVE-2019-15976)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/DbAdminWSService/DbAdminWS"; fast_pattern; http.request_body; content:"<soapenv"; startswith; content:"|3a|addUser>"; content:"<userName>"; content:"<roleName>"; reference:url,www.exploit-db.com/exploits/48019; reference:cve,2019-15976; classtype:attempted-admin; sid:2033409; rev:2; metadata:created_at 2021_07_24, cve CVE_2019_15976, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass (CVE-2022-1388) M1"; flow:established,to_server; flowbits:set,ET.F5AuthBypass; http.method; content:"POST"; http.uri; content:"/mgmt/tm/util/bash"; fast_pattern; bsize:18; http.header; content:"Authorization|3a 20|Basic YWRtaW46"; http.connection; content:"x-F5-Auth-Token"; nocase; http.header_names; content:!"Referer"; content:"X-F5-Auth-Token"; http.request_body; content:"command"; content:"run"; distance:0; content:"utilCmdArgs"; distance:0; reference:cve,2022-1388; classtype:attempted-admin; sid:2036546; rev:4; metadata:created_at 2022_05_09, cve CVE_2022_1388, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, reviewed_at 2024_09_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Server Response (CVE-2022-1388)"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"kind"; content:"tm|3a|util|3a|bash|3a|runstate"; fast_pattern; distance:0; content:"command"; distance:0; content:"run"; distance:0; content:"utilCmdArgs"; distance:0; content:"commandResult"; distance:0; flowbits:isset,ET.F5AuthBypass; reference:cve,2022-1388; classtype:trojan-activity; sid:2036547; rev:2; metadata:created_at 2022_05_09, cve CVE_2022_1388, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, reviewed_at 2024_09_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/userportal/Controller?"; fast_pattern; startswith; content:"mode="; content:"operation="; content:"datagrid="; content:"json="; http.header; content:"X-Requested-With|3a 20|XMLHttpRequest"; http.header_names; content:!"Referer"; flowbits:set,ET.SophosAuthBypass; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036548; rev:2; metadata:created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, reviewed_at 2024_09_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M1"; flow:established,to_client; flowbits:isset,ET.SophosAuthBypass; file.data; content:"{|22|status|22 3a 22|Session Expired|22|}"; fast_pattern; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036549; rev:3; metadata:created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Sophos Firewall Authentication Bypass (CVE-2022-1040) Server Response M2"; flow:established,to_client; flowbits:isset,ET.SophosAuthBypass; file.data; content:"{|22|status|22 3a 22|-2|22|}"; fast_pattern; reference:cve,2022-1040; reference:url,attackerkb.com/topics/cdXl2NL3cR/cve-2022-1040; classtype:attempted-admin; sid:2036550; rev:3; metadata:created_at 2022_05_09, cve CVE_2022_1040, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Attempt (CVE-2022-1388) M2"; flow:established,to_server; flowbits:set,ET.F5AuthBypass; http.method; content:!"GET"; http.uri; content:"/mgmt/tm"; startswith; http.header; content:"Authorization|3a 20|Basic YWRtaW46"; http.connection; content:"x-F5-Auth-Token"; nocase; http.header_names; content:!"Referer"; content:"X-F5-Auth-Token"; fast_pattern; threshold:type limit, count 1, seconds 60, track by_src; reference:cve,2022-1388; classtype:attempted-admin; sid:2036556; rev:3; metadata:created_at 2022_05_10, cve CVE_2022_1388, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, reviewed_at 2024_09_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Potential External VMware vRealize Automation Authentication Bypass Vulnerability"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/SAAS/auth/login/embeddedauthbroker/callback"; fast_pattern; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"protected_state"; content:"userstore"; content:"username"; content:"password"; content:"userstoreDisplay"; content:"horizonRelayState"; content:"stickyConnectorId"; content:"action"; reference:url,horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive/; classtype:attempted-admin; sid:2036725; rev:5; metadata:affected_product VMware, created_at 2022_05_27, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, reviewed_at 2024_10_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"page/SetupCompleted"; fast_pattern; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; reference:cve,2023-27350; classtype:attempted-admin; sid:2045130; rev:3; metadata:created_at 2023_04_21, cve CVE_2023_27350, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, reviewed_at 2024_09_30, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Attempt (CVE-2022-1388) M3"; flow:established,to_server; flowbits:set,ET.F5AuthBypass; http.method; content:!"GET"; http.uri; content:"/mgmt/tm"; startswith; http.header; content:"|20|YWRtaW46"; pcre:"/^Authorization\x3a\x20[^\r\n]*YWRtaW46/mi"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; nocase; content:"X-F5-Auth-Token"; nocase; fast_pattern; threshold:type limit, count 1, seconds 60, track by_src; reference:cve,2022-1388; classtype:attempted-admin; sid:2049256; rev:2; metadata:affected_product F5, created_at 2023_11_20, cve CVE_2022_1388, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Uniview IPC2322lb Authentication Bypass Attempt - RSA Public Key Parameter Retrieval"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/LAPI/V1.0/System/Security/RSA?randomKey="; fast_pattern; startswith; reference:url,ssd-disclosure.com/ssd-advisory-uniview-ipc2322lb-auth-bypass-and-cli-escape/; classtype:attempted-admin; sid:2051786; rev:2; metadata:affected_product IoT, created_at 2024_03_25, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Possible Uniview IPC2322lb Authentication Bypass Attempt - Admin Password Reset Attempt"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/LAPI/V1.0/Channel/0/System/Users/Users/0"; fast_pattern; http.request_body; content:"|22|ID|22 3a 20|0|2c|"; content:"|22|Level|22 3a 20|0|2c|"; within:20; content:"|22|Name|22 3a 20 22|admin|22 2c|"; within:20; content:"|22|RSAPublicKey|22 3a 20|"; within:20; content:"|22|Passwd|22 3a 20 22|"; within:450; reference:url,ssd-disclosure.com/ssd-advisory-uniview-ipc2322lb-auth-bypass-and-cli-escape/; classtype:attempted-admin; sid:2051787; rev:2; metadata:affected_product IoT, created_at 2024_03_25, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT PTZOptics PT30X Successful Authentication Bypass (CVE-2024-8956)"; flow:established,to_client; flowbits:isset,ET.2024.8956; http.response_body; bsize:33; content:"|7b 22|Response|22 3a 7b 22|Result|22 3a 22|Success|22 7d 7d|"; fast_pattern; reference:cve,2024-8956; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-8956; reference:url,labs.greynoise.io/grimoire/2024-10-31-sift-0-day-rce; classtype:successful-admin; sid:2057227; rev:2; metadata:affected_product IP_Camera, created_at 2024_11_04, cve CVE_2024_8956, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http [$HTTP_SERVERS,$HOME_NET] any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Cisco Smart Software Manager On-Prem (SSM On-Prem) Successful Unauthenticated Password Reset (CVE-2024-20419)"; flow:established,to_client; flowbits:isset,ET.CVE-2024-20419.request; http.stat_code; content:"200"; http.cookie; content:"XSRF|2d|TOKEN|3d|"; startswith; http.response_body; content:"|7b 22|uid|22 3a 22|"; startswith; content:"|22 2c 22|auth|5f|token|22 3a 22|"; fast_pattern; pcre:"/^(?:[a-z0-9]{64})\x22\x7d$/R"; reference:cve,2024-20419; reference:url,nvd.nist.gov/vuln/detail/CVE-2024-20419; reference:url,sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy; classtype:attempted-admin; sid:2056149; rev:2; metadata:affected_product Cisco_IOS, created_at 2024_09_24, cve CVE_2024_20419, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CVE_2024_20419, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert tcp any any -> $HOME_NET 9100 (msg:"ET EXPLOIT HP Printer Attempted Path Traversal via PJL"; flow:to_server,established; content:"@PJL FS"; depth:7; content:"NAME="; distance:0; pcre:"/^\s*[\x22\x27][^\x22\x27]{0,128}\x2e\x2e/Ri"; reference:url,www.tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution; reference:cve,2017-2741; classtype:attempted-admin; sid:2024404; rev:4; metadata:created_at 2017_06_16, cve CVE_2017_2741, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Cisco Adaptive Security Appliance - Path Traversal"; flow:established,to_server; http.uri; content:"+CSCOE+/files/file_list.json?path=+CSCOE+"; fast_pattern; http.uri.raw; content:"../"; reference:url,exploit-db.com/exploits/44956/; reference:cve,2018-0296; classtype:attempted-user; sid:2025764; rev:3; metadata:affected_product Cisco_ASA, created_at 2018_06_29, cve CVE_2018_0296, deployment Perimeter, deployment Internal, deployment Datacenter, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WinRAR WinAce Containing CVE-2018-20250 Inbound - Path Traversal leading to RCE"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"**ACE**"; offset:7; depth:7; fast_pattern; content:"|00|"; distance:0; pcre:"/^(?:(\S\:\\){2,}|\S\:\\\S\:\S\:|S\:\\\\\\([0-9]{1,3}\.){3}[0-9]{1,3}|\S\:\\\\\\([a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/R"; classtype:attempted-admin; sid:2027310; rev:4; metadata:created_at 2019_05_01, cve CVE_2018_20250, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag WinRAR, tag ACE, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Nagios XI Post-Auth Path Traversal (CVE-2021-37343)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/nagiosxi/includes/components/autodiscovery/?mode=newjob"; fast_pattern; http.request_body; content:"job=|2e 2e 2f|"; reference:url,claroty.com/2021/09/21/blog-research-securing-network-management-systems-nagios-xi/; reference:cve,2021-37343; classtype:attempted-admin; sid:2034017; rev:2; metadata:affected_product Nagios, created_at 2021_09_23, cve CVE_2021_37343, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M1"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/%2e%2e/%2e%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,twitter.com/HackerGautam/status/1445412108863041544; reference:cve,2021-41773; classtype:attempted-admin; sid:2034124; rev:5; metadata:affected_product Apache_HTTP_server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M2"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/.%2e/.%2e/.%2e/"; reference:url,httpd.apache.org/security/vulnerabilities_24.html; reference:url,github.com/iilegacyyii/PoC-CVE-2021-41773/blob/main/CVE-2021-41773.py; reference:cve,2021-41773; classtype:attempted-admin; sid:2034125; rev:5; metadata:affected_product Apache_HTTP_server, created_at 2021_10_05, cve CVE_2021_41773, deployment Perimeter, deployment Internet, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache HTTP Server 2.4.49 - Path Traversal Attempt (CVE-2021-41773) M3"; flow:established,to_server; http.uri.raw; pcre:"/^\/(?:icons|cgi-bin)/"; content:"/.%2e/%2e%2e/.%2e/"; reference:cve,2021-41773; classtype:attempted-admin; sid:2034128; rev:3; metadata:affected_product Apache_HTTP_server, created_at 2021_10_06, cve CVE_2021_41773, deployment Perimeter, deployment Internet, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Cisco Security Manager Path Traversal - cwhp (CVE-2020-27130)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cwhp/XmpFileDownloadServlet?parameterName=downloadDoc&downloadDirectory="; fast_pattern; content:"|2e 2e 2f|"; reference:cve,2020-27130; classtype:attempted-admin; sid:2035106; rev:3; metadata:created_at 2022_02_04, cve CVE_2020_27130, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)

alert smtp any any -> [$HOME_NET,$SMTP_SERVERS] any (msg:"ET EXPLOIT Zimbra postjournal RCE Attempt Inbound (CVE-2024-45519)"; flow:established,to_server; content:"|0d 0a|RCPT|20|TO|3a 20|"; fast_pattern; content:"|24 28|"; within:200; pcre:"/^RCPT\x20TO\x3a\x20.*?\x24\x28/mi"; reference:cve,2024-45519; classtype:attempted-admin; sid:2056356; rev:2; metadata:created_at 2024_09_30, cve CVE_2024_45519, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NUUO OS Command Injection M2"; flow:to_server,established; http.uri; content:"/cgi_system?cmd=saveconfig"; http.request_body; content:"bfolder="; pcre:"/(?:\x60|\x24)/"; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2026108; rev:4; metadata:attack_target Networking_Equipment, created_at 2018_09_10, deployment Perimeter, confidence High, signature_severity Major, updated_at 2024_11_29, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

#alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Edgewater Networks Edgemarc Blind Command Injection Attempt (CVE-2017-6079)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/config?page=50&form=mainForm"; nocase; fast_pattern; reference:url,github.com/MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit/blob/master/CVE-2017-6079.py; reference:cve,2017-6079; classtype:attempted-admin; sid:2034575; rev:3; metadata:attack_target Networking_Equipment, created_at 2021_12_01, cve CVE_2017_6079, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, updated_at 2024_11_30, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)

#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sonicwall Unauthenticated Stack-Based Buffer Overflow (CVE-2021-20038)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f 04 3f 7f 3f 18 3f 7f 3f 18 3f 7f 3f 64 3f 06 08 3b|"; startswith; fast_pattern; content:"|3b 3f|"; distance:0; bsize:>200; http.header_names; content:!"Referer"; reference:url,psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026; reference:cve,2021-20038; classtype:attempted-admin; sid:2034970; rev:3; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2022_01_25, cve CVE_2021_20038, deployment Perimeter, deprecation_reason Relevance, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_12_02, reviewed_at 2024_12_02;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read Attempt (CVE-2021-26086) M1"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/"; startswith; content:"|2f 5f 2f 3b 2f|WEB|2d|INF"; within:25; fast_pattern; pcre:"/(?:web|decorators|seraph-config)\x2exml$/R"; http.header_names; content:!"Referer"; reference:url,jira.atlassian.com/browse/JRASERVER-72695; reference:url,github.com/ColdFusionX/CVE-2021-26086; reference:cve,2021-26086; classtype:attempted-admin; sid:2038672; rev:2; metadata:affected_product Atlassian, attack_target Web_Server, created_at 2022_08_30, cve CVE_2021_26086, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Relevance, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_12_02, reviewed_at 2024_12_02;)

#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read Attempt (CVE-2021-26086) M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/s/"; startswith; content:"|2f 5f 2f 3b 2f|META|2d|INF|2f|maven|2f|"; fast_pattern; pcre:"/com.atlassian.jira\x2f(?:jira\x2dwebapp\x2ddist|atlassian\x2djira\x2dwebapp)\x2fpom\x2e(?:properties|xml)$/R"; http.header_names; content:!"Referer"; reference:url,jira.atlassian.com/browse/JRASERVER-72695; reference:url,github.com/ColdFusionX/CVE-2021-26086; reference:cve,2021-26086; classtype:attempted-admin; sid:2038673; rev:2; metadata:affected_product Atlassian, attack_target Web_Server, created_at 2022_08_30, cve CVE_2021_26086, deployment Perimeter, deployment SSLDecrypt, deprecation_reason Relevance, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_12_02, reviewed_at 2024_12_02;)

#alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link Remote Code Execution Attempt (CVE-2022-28958)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/getcfg.php"; bsize:11; http.request_body; content:"action|3d|sethostname|26|value|3d 26 20|wget|20|http"; startswith; fast_pattern; reference:url,unit42.paloaltonetworks.com/moobot-d-link-devices/; reference:cve,2022-28958; classtype:trojan-activity; sid:2038782; rev:2; metadata:attack_target Networking_Equipment, created_at 2022_09_09, cve CVE_2022_28958, deprecation_reason Relevance, confidence High, signature_severity Major, updated_at 2024_12_02, reviewed_at 2024_12_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortinet FortiClient EMS SQL Injection (CVE-2023-48788)"; flow:established,to_server; content:"MSG_HEADER|3a 20|FCTUID|3d|"; fast_pattern; startswith; pcre:"/^[^\x0a]*?[\x27\x22\x3b\x2d\x5c\x2a\x2f]/R"; reference:url,www.horizon3.ai/attack-research/attack-blogs/cve-2023-48788-fortinet-forticlientems-sql-injection-deep-dive; reference:cve,2023-48788; classtype:attempted-admin; sid:2058432; rev:1; metadata:affected_product FortiClient_EMS, attack_target Server, tls_state TLSDecrypt, created_at 2024_12_19, cve CVE_2023_48788, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_12_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051)"; flow:established,to_server; http.uri; content:"/HNAP1/"; nocase; http.header; content:"SOAPAction|3a 20 22|http|3a 2f 2f|purenetworks|2e|com|2f|HNAP1|2f|GetDeviceSettings|2f 60|"; fast_pattern; reference:url,www.exploit-db.com/exploits/37171; reference:cve,2015-2051; reference:cve,2019-10891; reference:cve,2022-37056; reference:cve,2024-33112; classtype:attempted-admin; sid:2034491; rev:4; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2021_11_17, cve CVE_2015_2051, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_01_02, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)

alert tcp any any -> $HOME_NET [23,2323] (msg:"ET EXPLOIT Actiontec C1000A backdoor account M1"; flow:established,to_server; content:"QwestM0dem"; fast_pattern; classtype:attempted-admin; sid:2025080; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2017_11_28, deployment Perimeter, malware_family Mirai, performance_impact Low, signature_severity Major, updated_at 2025_01_03;)

alert udp $EXTERNAL_NET 389 -> $HOME_NET any (msg:"ET EXPLOIT Microsoft LDAP Referral Response Inbound (CVE-2024-49113)"; content:"|30|"; depth:1; content:"|04|"; distance:2; within:1; content:"|65|"; distance:4; within:1; content:"|0a 01|"; distance:1; within:2; content:"|a3|"; distance:0; content:"ldap"; within:7; pcre:"/^s?\x3a\x2f{2}/R"; reference:url,www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/; reference:cve,2024-49113; classtype:attempted-dos; sid:2059017; rev:1; metadata:affected_product Windows_11, affected_product Windows_Server_2019, affected_product Windows_Server_2022, affected_product Windows_Server_2016, affected_product Windows_10, affected_product Windows_Server_2012, attack_target Networking_Equipment, created_at 2025_01_07, cve CVE_2024_49113, deployment Perimeter, deployment Internal, performance_impact Moderate, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_07, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1498, mitre_technique_name Network_Denial_of_Service; target:dest_ip;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Ivanti Connect Secure VPN IF-T/TLS clientCapabilities Remote Code Execution (CVE-2025-0282)"; flow:established,to_server; xbits:isset,ET.IFTTLS.HTTPRequest,track ip_pair; content:"|00 00|"; startswith; pcre:"/^(\x0a\x4c|\x05\x83)\x00\x00\x00\x88/R"; content:"clientCapabilities|3d|"; fast_pattern; pcre:"/^[^\x20\x0a]{257,}/R"; reference:url,labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-ivanti-connect-secure-rce-cve-2025-0282/; reference:cve,2025-0282; classtype:attempted-admin; sid:2059171; rev:1; metadata:affected_product Ivanti, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_01_13, cve CVE_2025_0282, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_01_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)