API tools faq
paste
internetscanning

Suricata Rules

internetscanning
Nov 25th, 2022
133
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 56.53 KB | None | 0 0
raw download clone embed print report
  1. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET EXPLOIT Apache Struts Possible OGNL Java Exec In URI""; flow:to_server,established; http.uri; content:""java.lang.Runtime@getRuntime().exec(""; nocase; classtype:attempted-user; sid:2016953; rev:4; metadata:created_at 2013_05_31, updated_at 2020_04_24;)
  2. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET EXPLOIT Apache Struts Possible OGNL Java Exec in client body""; flow:to_server,established; http.request_body; content:""java.lang.Runtime@getRuntime().exec(""; nocase; reference:url,struts.apache.org/development/2.x/docs/s2-013.html; classtype:attempted-user; sid:2016957; rev:4; metadata:created_at 2013_06_01, updated_at 2020_04_24;)
  3. alert http any any -> $HOME_NET any (msg:""ET EXPLOIT Apache Struts 2 REST Plugin XStream RCE (ProcessBuilder)""; flow:to_server,established; http.request_body; content:""java.lang.ProcessBuilder""; nocase; fast_pattern; content:""<command""; nocase; distance:0; pcre:""/^[\s>]/Rs""; reference:cve,2017-9805; reference:url,lgtm.com/blog/apache_struts_CVE-2017-9805_announcement; classtype:attempted-user; sid:2024663; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_09_06, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Critical, updated_at 2020_08_12;)
  4. alert http any any -> $HOME_NET 52869 (msg:""ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361""; flow:established,to_server; urilen:12; http.method; content:""POST""; http.uri; content:""/picdesc.xml""; http.header; content:""SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|""; reference:url,blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/; reference:cve,CVE-2014-8361; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/realtek_miniigd_upnp_exec_noauth.rb; reference:url,www.exploit-db.com/exploits/37169/; classtype:attempted-user; sid:2025132; rev:3; metadata:attack_target IoT, created_at 2017_12_05, former_category EXPLOIT, updated_at 2020_08_24;)
  5. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Unix""; flow:established,to_server; http.uri; content:""/CoordinatorPortType""; http.request_body; content:""<soapenv:""; content:""java.lang.ProcessBuilder""; content:""<string>/bin/sh""; content:""<string>-c</string>""; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025837; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, updated_at 2020_08_25;)
  6. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET EXPLOIT Oracle WebLogic - wls-wsat Component Deserialization Remote Code Execution Windows""; flow:established,to_server; http.uri; content:""/CoordinatorPortType""; http.request_body; content:""<soapenv:""; content:""java.lang.ProcessBuilder""; content:""<string>cmd</string>""; content:""<string>/c</string>""; reference:url,exploit-db.com/exploits/43924/; classtype:attempted-user; sid:2025838; rev:2; metadata:attack_target Server, created_at 2018_07_13, deployment Datacenter, former_category EXPLOIT, updated_at 2020_08_25;)
  7. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET EXPLOIT Apache Struts RCE CVE-2018-11776 POC M2""; flow:to_server,established; http.uri; content:""memberAccess""; content:""allowStaticMethodAccess""; distance:0; content:""java.lang.Runtime@getRuntime().exec(""; nocase; fast_pattern; distance:0; content:"".getInputStream""; content:""java.io.InputStreamReader""; content:""java.io.BufferedReader""; content:"".read""; content:""@org.apache.struts2.ServletActionContext@getResponse""; reference:url,github.com/jas502n/St2-057/blob/master/README.md; reference:cve,2018-11776; classtype:attempted-user; sid:2026026; rev:2; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2018_08_23, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_25;)
  8. alert http any any -> $HOME_NET any (msg:""ET EXPLOIT Apache Struts 2 REST Plugin Vulnerability (CVE-2017-9805)""; flow:to_server,established; http.method; content:""GET""; http.uri; content:""/struts2""; http.content_type; content:""|25 7b 28 23|""; isdataat:500,relative; content:""cmd.exe""; fast_pattern; content:""@java.lang.System@getProperty(|27|os.name|27|)""; reference:cve,2017-9805; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027516; rev:2; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
  9. alert http any any -> $HOME_NET any (msg:""ET EXPLOIT ThinkPHP Attempted Bypass and Payload Retrieval""; flow:to_server,established; http.method; content:""GET""; http.uri; content:""/public/hydra.php?xcmd=cmd.exe""; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027518; rev:2; metadata:attack_target Server, created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
  10. alert http any any -> $HOME_NET any (msg:""ET EXPLOIT Tomcat File Upload Payload Request (CVE-2017-12615)""; flow:to_server,established; http.method; content:""GET""; http.uri; content:"".jsp?view=""; fast_pattern; content:""&os=""; distance:0; content:""&address=""; distance:0; reference:cve,2017-12615; reference:url,forums.juniper.net/t5/Threat-Research/Anatomy-of-the-Bulehero-Cryptomining-Botnet/ba-p/458787; classtype:attempted-user; sid:2027517; rev:3; metadata:created_at 2019_06_26, deployment Perimeter, former_category EXPLOIT, performance_impact Moderate, signature_severity Major, updated_at 2020_11_17;)
  11. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET EXPLOIT Zimbra <8.8.11 - XML External Entity Injection/SSRF Attempt (CVE-2019-9621)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/autodiscover""; nocase; http.request_body; content:""<!DOCTYPE""; depth:50; content:""file:///etc/passwd""; distance:0; fast_pattern; content:""<EMailAddress>""; content:""<AcceptableResponseSchema>""; reference:url,www.exploit-db.com/exploits/46967; reference:url,packetstormsecurity.com/files/152487/Zimbra-Collaboration-Autodiscover-Servlet-XXE-ProxyServlet-SSRF.html; reference:cve,2019-9621; reference:cve,2021-2109; classtype:attempted-user; sid:2031562; rev:1; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_27, cve CVE_2021_2109, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_01_27;)
  12. alert http any any -> any any (msg:""ET EXPLOIT ZTE Cable Modem RCE Attempt (CVE-2014-2321)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/web_shell_cmd.gch""; fast_pattern; http.request_body; content:""IF_ACTION=apply&IF_ERRORSTR=SUCC&""; startswith; reference:url,twitter.com/bad_packets/status/1235106406144937984; reference:cve,2014-2321; reference:url,github.com/stasinopoulos/ZTExploit/; classtype:attempted-user; sid:2032077; rev:2; metadata:affected_product Router, attack_target IoT, created_at 2021_03_16, cve CVE_2014_2321, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2021_03_16;)
  13. alert tcp $EXTERNAL_NET any -> $HOME_NET 20222 (msg:""ET SCADA CitectSCADA ODBC Overflow Attempt""; flow:established,to_server; dsize:4; byte_test:4,>,399,0; reference:cve,2008-2639; reference:url,www.digitalbond.com/index.php/2008/09/08/ids-signature-for-citect-vuln/; reference:url,digitalbond.com/tools/quickdraw/vulnerability-rules; classtype:attempted-user; sid:2008542; rev:8; metadata:created_at 2010_07_30, updated_at 2016_06_07;)
  14. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect""; flow:established,to_server; http.request_body; content:""redirect|3a|""; content:""{""; distance:0; pcre:""/\bredirect\x3a/""; reference:url,struts.apache.org/release/2.3.x/docs/s2-016.html; classtype:attempted-user; sid:2017174; rev:6; metadata:created_at 2013_07_24, updated_at 2020_06_24;)
  15. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SERVER Possible Apache Struts OGNL in Dynamic Action""; flow:established,to_server; http.uri; content:""/${""; fast_pattern; pcre:""/\/\$\{[^\}\x2c]+?=/""; reference:cve,2013-2135; reference:bugtraq,60345; reference:url,cwiki.apache.org/confluence/display/WW/S2-015; classtype:attempted-user; sid:2017277; rev:6; metadata:created_at 2013_08_06, updated_at 2020_09_19;)
  16. alert http any any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS OGNL Expression Injection (CVE-2017-9791)""; flow:established,to_server; http.method; content:""POST""; nocase; http.request_body; content:""multipart""; content:""form-data""; distance:1; within:11; content:""ognl.OgnlContext""; distance:1; fast_pattern; content:""DEFAULT_MEMBER_ACCESS""; distance:1; within:23; content:""java.lang.ProcessBuilder""; distance:1; content:"".start""; distance:1; reference:url,securityonline.info/tutorial-cve-2017-9791-apache-struts2-s2-048-remote-code-execution-vulnerability/; reference:cve,2017-9791; classtype:attempted-user; sid:2024468; rev:3; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_07_14, deployment Datacenter, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_08_10;)
  17. alert tcp any any -> $HOME_NET [25,587] (msg:""ET EXPLOIT Possible Postfix CVE-2014-6271 attempt""; flow:to_server,established; content:""|28 29 20 7b|""; fast_pattern; pcre:""/^[a-z-]+\s*?\x3a\s*?[^\r\n]*?\x28\x29\x20\x7b.*\x3b.*\x7d\s*\x3b(?!=[\r\n])/mi""; reference:url,exploit-db.com/exploits/34896/; reference:cve,2014-6271; classtype:attempted-admin; sid:2019389; rev:5; metadata:created_at 2014_10_10, updated_at 2019_10_08;)
  18. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Outbound (CVE-2020-8515) M2""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/cgi-bin/mainfunction.cgi""; endswith; http.request_body; content:""action=login&keyPath=""; fast_pattern; content:""&loginUser=""; distance:0; content:""&loginPwd=""; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029806; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_04_03;)
  19. alert http $EXTERNAL_NET any -> any any (msg:""ET EXPLOIT Multiple DrayTek Products Pre-authentication Remote RCE Inbound (CVE-2020-8515) M2""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/cgi-bin/mainfunction.cgi""; endswith; http.request_body; content:""action=login&keyPath=""; fast_pattern; content:""&loginUser=""; distance:0; content:""&loginPwd=""; distance:0; reference:cve,2020-8515; reference:url,www.exploit-db.com/exploits/48268; classtype:attempted-admin; sid:2029807; rev:2; metadata:affected_product Linux, attack_target Networking_Equipment, created_at 2020_04_03, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_04_03;)
  20. alert http any any -> any any (msg:""ET EXPLOIT F5 TMUI RCE vulnerability CVE-2020-5902 Attempt M1""; flow:established,to_server; http.uri; content:""/tmui/login.jsp""; depth:15; fast_pattern; content:""|3b|""; distance:0; reference:cve,2020-5902; reference:url,support.f5.com/csp/article/K52145254; classtype:attempted-admin; sid:2030469; rev:5; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2020_07_05, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Critical, updated_at 2020_07_08;)
  21. alert http any any -> $HOME_NET any (msg:""ET EXPLOIT D-Link Devices Home Network Administration Protocol Command Execution""; flow:established,to_server; http.method; content:""POST""; http.header; content:""SOAPAction|3a|""; content:""http|3a|//purenetworks.com/HNAP1/""; fast_pattern; pcre:""/^SOAPAction\x3a\s+?[^\r\n]*?http\x3a\/\/purenetworks\.com\/HNAP1\/([^\x2f]+?[\x2f])?[^\x2f]/mi""; reference:url,devttys0.com/2015/04/hacking-the-d-link-dir-890l/; reference:cve,2016-6563; classtype:attempted-admin; sid:2020899; rev:5; metadata:created_at 2015_04_13, updated_at 2020_08_03;)
  22. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET EXPLOIT UCM6202 1.0.18.13 - Remote Command Injection Attempt""; flow:established,to_server; http.method; content:""POST""; http.request_body; content:""action=sendPasswordEmail&user_name=""; startswith; fast_pattern; content:""|27|""; within:40; content:""|60 3b 60|""; within:100; reference:url,www.exploit-db.com/exploits/48247; classtype:attempted-admin; sid:2030206; rev:2; metadata:created_at 2020_05_22, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
  23. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET EXPLOIT Zyxel NAS RCE Attempt Inbound (CVE-2020-9054) M1""; flow:established,to_server; http.method; content:""GET""; http.uri; content:""/adv,/cgi-bin/weblogin.cgi?username=""; startswith; fast_pattern; content:""|27 3b|""; within:20; reference:cve,2020-9054; reference:url,www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml; reference:url,www.kb.cert.org/vuls/id/498544/; classtype:attempted-admin; sid:2029616; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_03_12, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_19;)
  24. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET EXPLOIT [401TRG] ZeroShell RCE Inbound (CVE-2019-12725)""; flow:to_server,established; http.uri; content:""/kerbynet?""; nocase; fast_pattern; content:""Action=""; nocase; content:""Section=""; nocase; reference:cve,2019-12725; reference:url,isc.sans.edu/forums/diary/Scanning+Activity+for+ZeroShell+Unauthenticated+Access/26368/; classtype:attempted-admin; sid:2030597; rev:2; metadata:attack_target Networking_Equipment, created_at 2020_07_24, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2020_08_19;)
  25. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET EXPLOIT MVPower DVR Shell UCE""; flow:to_server,established; http.uri; content:""/shell?""; depth:7; fast_pattern; http.header_names; content:!""Referer""; reference:url,researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/; classtype:attempted-admin; sid:2025883; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2018_07_23, deployment Perimeter, former_category EXPLOIT, malware_family Mirai, signature_severity Major, updated_at 2020_08_25;)
  26. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET EXPLOIT Apache Struts memberAccess and getWriter inbound OGNL injection remote code execution attempt""; flow:to_server,established; http.uri; content:""|23|_memberAccess""; fast_pattern; content:"".getWriter""; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026094; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2020_08_25;)
  27. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET EXPLOIT Apache Struts memberAccess and opensymphony inbound OGNL injection remote code execution attempt""; flow:to_server,established; http.uri; content:""|23|_memberAccess""; fast_pattern; content:""com|2E|opensymphony""; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026095; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2020_08_25;)
  28. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET EXPLOIT Apache Struts getWriter and opensymphony inbound OGNL injection remote code execution attempt""; flow:to_server,established; http.uri; content:""|2E|getWriter""; fast_pattern; content:""symphony|2E|""; nocase; reference:cve,2018-11776; classtype:attempted-admin; sid:2026096; rev:3; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_09_05, deployment Datacenter, former_category EXPLOIT, signature_severity Informational, updated_at 2020_08_25;)
  29. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""ET EXPLOIT Outbound GPON Authentication Bypass Attempt (CVE-2018-10561)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""?images/""; pcre:""/(?:\/GponForm\/diag_FORM\?images\/|\.html\?images\/)/i""; http.request_body; content:""XWebPageName=diag&diag""; depth:22; fast_pattern; reference:url,www.vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:attempted-admin; sid:2027063; rev:2; metadata:attack_target IoT, created_at 2019_03_06, cve 2018_10561, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
  30. alert http any any -> $EXTERNAL_NET any (msg:""ET EXPLOIT Linksys E-Series Device RCE Attempt Outbound""; flow:to_server,established; http.method; content:""POST""; http.uri; content:"".cgi""; http.request_body; content:""ttcp_ip=""; content:""-h""; distance:0; content:""&ttcp_num=""; fast_pattern; reference:url,www.exploit-db.com/exploits/31683/; reference:url,researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/; classtype:attempted-admin; sid:2027153; rev:2; metadata:attack_target Client_Endpoint, created_at 2019_04_04, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_28;)
  31. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET EXPLOIT QNAP Shellshock CVE-2014-6271""; flow:established,to_server; http.uri; content:""authLogin.cgi""; http.header; content:""|28 29 20 7b|""; fast_pattern; reference:url,www.fireeye.com/blog/threat-research/2014/10/the-shellshock-aftershock-for-nas-administrators.html; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; reference:cve,2014-6271; classtype:attempted-admin; sid:2019904; rev:5; metadata:created_at 2014_12_10, former_category CURRENT_EVENTS, updated_at 2020_10_13;)
  32. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)""; flow:established,to_server; http.uri; content:""/card_scan_decoder.php?No=""; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, deployment Perimeter, former_category EXPLOIT, signature_severity Minor, updated_at 2020_10_27;)
  33. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)""; flow:established,to_server; http.uri; content:""/card_scan_decoder.php?No=""; depth:26; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:2; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
  34. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""ET EXPLOIT Netgear DGN1000/DGN2200 Unauthenticated Command Execution Outbound""; flow:established,to_server; http.uri; content:""/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=""; depth:49; reference:url,www.exploit-db.com/exploits/25978; classtype:attempted-admin; sid:2029215; rev:2; metadata:affected_product Netgear_Router, attack_target IoT, created_at 2019_12_31, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_10_27;)
  35. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""ET EXPLOIT VisualDoor Sonicwall SSL VPN Exploit Attempt""; flow:established,to_server; http.uri; content:""/cgi-bin/jarrewrite.sh""; endswith; fast_pattern; http.user_agent; content:""|28 29 20 7b|""; reference:url,darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/; reference:cve,2014-6271; classtype:attempted-admin; sid:2031543; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_01_25, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_01_25;)
  36. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT VMWare View Planner RCE (CVE-2021-21978) Attempt M1""; flow:established,to_server; http.request_line; content:""POST /logupload?logMetaData=""; startswith; fast_pattern; content:""itrLogPath""; content:""log_upload_wsgi.py""; http.request_body; content:""name=|22|logfile|22 3b|""; reference:url,paper.seebug.org/1495/; reference:url,www.vmware.com/security/advisories/VMSA-2021-0003.html; reference:cve,2021-21978; classtype:attempted-admin; sid:2032009; rev:1; metadata:affected_product VMware, attack_target Server, created_at 2021_03_15, cve CVE_2021_21978, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_03_15;)
  37. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT [NCC/FOX-IT] Possible F5 BIG-IP/BIG-IQ iControl REST RCE Attempt (CVE-2021-22986)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/mgmt/tm/util/bash""; nocase; fast_pattern; http.request_body; content:""|22|command|22 3a 20 22|run|22|""; content:""|22|utilCmdArgs|22 3a 20 22|""; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Signatures/suricata/2021_03_cve_2021_22986.txt; reference:cve,2021-22986; classtype:attempted-admin; sid:2032220; rev:1; metadata:created_at 2021_03_19, cve CVE_2021_22986, former_category EXPLOIT, updated_at 2021_03_19;)
  38. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/checkValid""; http.request_body; content:""document=this.constructor""; content:""execSync""; distance:0; fast_pattern; reference:cve,2019-10758; reference:url,github.com/masahiro331/CVE-2019-10758; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033113; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, cve CVE_2019_10758, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_08;)
  39. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT XXL-Job RCE""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/run""; http.request_body; content:""GLUE_SHELL""; nocase; fast_pattern; content:""glueSource""; nocase; content:""glueUpdatetime""; nocase; reference:url,github.com/jas502n/xxl-job; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033115; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_06_08;)
  40. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)""; flow:established,to_server; http.uri; content:""/openam/oauth2/""; content:""/ccversion/Version""; nocase; pkt_data; content:""jato.pageSession=""; reference:url,portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464; classtype:attempted-admin; sid:2033208; rev:1; metadata:created_at 2021_06_30, cve CVE_2021_35464, former_category EXPLOIT, updated_at 2021_06_30;)
  41. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT ForgeRock Access Manager RCE (CVE-2021-35464)""; flow:established,to_server; http.uri; content:""/openam/oauth2/""; content:""/ccversion/Version""; nocase; pkt_data; content:""jato.pageSession=""; reference:url,portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464; reference:url,attackerkb.com/topics/KnAX5kffui/pre-auth-rce-in-forgerock-access-manager-cve-2021-35464; reference:cve,2021-35464; classtype:attempted-admin; sid:2033210; rev:1; metadata:attack_target Server, created_at 2021_06_30, cve CVE_2021_35464, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_06_30;)
  42. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT OptiLink ONT1GEW GPON RCE Inbound""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/boaform/admin/""; pcre:""/^form(?:Ping|Tracert)$/R""; http.request_body; content:""target_addr=|22|""; fast_pattern; content:""|60|""; distance:0; reference:url,packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html; classtype:attempted-admin; sid:2033280; rev:2; metadata:created_at 2021_07_08, updated_at 2021_07_08;)
  43. alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:""ET EXPLOIT OptiLink ONT1GEW GPON RCE Outbound""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/boaform/admin/""; pcre:""/^form(?:Ping|Tracert)$/R""; http.request_body; content:""target_addr=|22|""; fast_pattern; content:""|60|""; distance:0; reference:url,packetstormsecurity.com/files/162993/OptiLink-ONT1GEW-GPON-2.1.11_X101-Remote-Code-Execution.html; classtype:attempted-admin; sid:2033281; rev:1; metadata:created_at 2021_07_08, updated_at 2021_07_08;)
  44. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT Solr DataImport Handler RCE (CVE-2019-0193)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/solr/""; content:""dataimport""; distance:0; http.request_body; content:""command=full-import""; fast_pattern; pcre:""/\bexec\b/Ri""; reference:cve,2019-0193; reference:url,github.com/jas502n/CVE-2019-0193; classtype:attempted-admin; sid:2033114; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_08, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2021_07_26;)
  45. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT phpMyAdmin setup.php Local File Include""; flow:established,to_server; http.uri; content:""/scripts/setup.php""; nocase; fast_pattern; http.request_body; content:""action=""; nocase; startswith; content:""configuration=""; nocase; content:""PMA_Config""; nocase; content:""source""; nocase; reference:url,www.programmersought.com/article/87603212281/; reference:url,github.com/projectdiscovery/nuclei; classtype:attempted-admin; sid:2033640; rev:1; metadata:attack_target Web_Server, created_at 2021_08_02, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, signature_severity Major, updated_at 2021_08_02;)
  46. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT eMerge E3 Command Injection Inbound (CVE-2019-7256)""; flow:established,to_server; http.method; content:""GET""; http.uri; content:""/card_scan""; startswith; fast_pattern; content:"".php""; distance:0; within:15; content:""=|60|""; reference:cve,2019-7256; classtype:attempted-admin; sid:2033757; rev:1; metadata:created_at 2021_08_22, cve CVE_2019_7256, former_category EXPLOIT, updated_at 2021_08_22;)
  47. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT Cisco HyperFlex HX Data Platform Pre-Auth RCE Inbound (CVE-2021-1499)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/upload""; http.request_body; content:""name=|22|""; content:""filename=|22|../../""; fast_pattern; reference:cve,2021-1499; classtype:attempted-admin; sid:2033907; rev:1; metadata:attack_target Server, created_at 2021_09_07, cve CVE_2021_1499, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_09_07;)
  48. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT Possible Apache Shiro 1.2.4 Cookie RememberME Deserial RCE (CVE-2016-4437)""; flow:established,to_server; http.cookie; content:""rememberMe=""; startswith; fast_pattern; bsize:>125; reference:url,issues.apache.org/jira/browse/SHIRO-550; reference:cve,2016-4437; classtype:attempted-admin; sid:2034256; rev:1; metadata:attack_target Server, created_at 2021_10_27, cve CVE_2016_4437, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, tag Exploit, updated_at 2021_10_27;)
  49. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET HUNTING Suspicious Chmod Usage in URI (Inbound)""; flow:to_server,established; http.uri; content:""chmod""; fast_pattern; nocase; pcre:""/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri""; content:!""&launchmode=""; content:!""/chmod/""; content:!""searchmod""; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:10; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category HUNTING, signature_severity Minor, updated_at 2020_10_27;)
  50. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""ET HUNTING Suspicious Chmod Usage in URI (Outbound)""; flow:to_server,established; http.uri; content:""chmod""; fast_pattern; nocase; content:!""&launchmode=""; content:!""/chmod/""; content:!""searchmod""; pcre:""/^(?:\+|\x2520|\x24IFS|\x252B|\s)+(?:x|[0-9]{3,4})/Ri""; classtype:attempted-admin; sid:2029216; rev:3; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2019_12_31, deployment Perimeter, signature_severity Major, updated_at 2020_10_27;)
  51. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET SCAN Tomcat admin-admin login credentials""; flow:to_server,established; flowbits:set,ET.Tomcat.login.attempt; http.uri; content:""/manager/html""; nocase; http.header; content:""|0d 0a|Authorization|3a 20|Basic|20|YWRtaW46YWRtaW4=|0d 0a|""; fast_pattern; reference:url,tomcat.apache.org; reference:url,doc.emergingthreats.net/2009217; classtype:attempted-admin; sid:2009217; rev:10; metadata:created_at 2010_07_30, updated_at 2020_11_02;)
  52. alert tcp $EXTERNAL_NET any -> $HOME_NET [9200,9292] (msg:""ET WEB_SERVER Possible CVE-2015-1427 Elastic Search Sandbox Escape Remote Code Execution Attempt""; flow:established,to_server; content:""POST /""; depth:6; content:""search""; distance:0; content:""script_fields""; distance:0; nocase; content:"".class.forName""; nocase; distance:0; content:""java.lang.Runtime""; nocase; distance:0; reference:url,jordan-wright.github.io/blog/2015/03/08/elasticsearch-rce-vulnerability-cve-2015-1427; classtype:attempted-admin; sid:2020648; rev:2; metadata:created_at 2015_03_09, updated_at 2015_03_09;)
  53. alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:""ET WEB_SERVER Possible CVE-2014-6271 Attempt""; flow:established,to_server; content:"" HTTP/1.""; pcre:""/^[^\r\n]*?HTTP\/1(?:(?!\r?\n\r?\n)[\x20-\x7e\s]){1,500}\n[\x20-\x7e]{1,100}\x3a[\x20-\x7e]{0,500}\x28\x29\x20\x7b/s""; content:""|28 29 20 7b|""; fast_pattern; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2022028; rev:2; metadata:created_at 2015_11_04, updated_at 2019_10_08;)
  54. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET WEB_SERVER ThinkPHP RCE Exploitation Attempt""; flow:established,to_server; http.method; content:""GET""; http.uri; content:""/index""; content:""/invokefunction&function=call_user_func_array""; distance:0; fast_pattern; reference:url,www.exploit-db.com/exploits/45978; classtype:attempted-admin; sid:2026731; rev:3; metadata:affected_product PHP, attack_target Web_Server, created_at 2018_12_14, deployment Perimeter, deployment Datacenter, former_category WEB_SERVER, performance_impact Low, signature_severity Major, tag ThinkPHP, updated_at 2020_08_31;)
  55. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET WEB_SERVER Possible DD-WRT Metacharacter Injection Command Execution Attempt""; flow:to_server,established; http.uri; content:""/cgi-bin/|3B|""; nocase; pcre:""/\x2Fcgi\x2Dbin\x2F\x3B.+[a-z]/i""; reference:url,isc.sans.org/diary.html?storyid=6853; reference:url,www.theregister.co.uk/2009/07/21/critical_ddwrt_router_vuln/; reference:url,doc.emergingthreats.net/2009678; reference:url,www.dd-wrt.com/phpBB2/viewtopic.php?t=55173; reference:bid,35742; reference:cve,2009-2765; classtype:attempted-admin; sid:2009678; rev:9; metadata:created_at 2010_07_30, updated_at 2020_09_10;)
  56. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET WEB_SERVER Possible SQL Injection (exec)""; flow:established,to_server; http.uri; content:""exec(""; nocase; reference:url,doc.emergingthreats.net/2008176; classtype:attempted-admin; sid:2008176; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, signature_severity Major, tag SQL_Injection, updated_at 2020_09_14;)
  57. alert http any any -> $HTTP_SERVERS any (msg:""ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers""; flow:established,to_server; http.header; content:""|28 29 20 7b|""; fast_pattern; content:""bash|20 2d|c""; reference:url,blogs.akamai.com/2014/09/environment-bashing.html; classtype:attempted-admin; sid:2019232; rev:7; metadata:created_at 2014_09_25, updated_at 2021_11_03;)
  58. alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET WEB_SPECIFIC_APPS vBulletin RCE Inbound (CVE-2019-16759 Bypass)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/widget_tabbedcontainer_tab_panel""; fast_pattern; http.request_body; content:""subWidgets|5b|""; content:""|3b|""; distance:0; reference:url,blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/; classtype:attempted-admin; sid:2030667; rev:1; metadata:attack_target Web_Server, created_at 2020_08_10, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_10;)
  59. alert http any any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/user/register""; http.request_body; content:""drupal""; pcre:""/(%23|#)(access_callback|pre_render|post_render|lazy_builder)/i""; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025494; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_13, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
  60. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS Apache Struts ognl inbound OGNL injection remote code execution attempt""; flow:to_server,established; http.uri; content:""${""; content:""ognl|2E|""; distance:0;fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026031; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Minor, updated_at 2020_08_25;)
  61. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS Apache Struts inbound .getWriter OGNL injection remote code execution attempt""; flow:to_server,established; http.uri; content:""${""; content:"".getWriter""; fast_pattern; distance:0; reference:cve,2018-11776; classtype:attempted-admin; sid:2026032; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
  62. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS Apache Struts java.lang inbound OGNL injection remote code execution attempt""; flow:to_server,established; http.uri; content:""${""; content:""java|2E|lang""; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026033; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
  63. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS Apache Struts inbound .getClass OGNL injection remote code execution attempt""; flow:to_server,established; http.uri; content:""${""; content:"".getClass""; distance:0; fast_pattern; reference:cve,2018-11776; classtype:attempted-admin; sid:2026034; rev:2; metadata:affected_product Apache_Struts2, attack_target Server, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_25;)
  64. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS Apache Struts memberAccess inbound OGNL injection remote code execution attempt""; flow:to_server,established; threshold:type both, track by_dst, count 1, seconds 60; http.uri; content:""|23|_memberAccess""; fast_pattern; content:""new|20|""; nocase; pcre:""/new\s+(java|org|sun)/i""; reference:cve,2018-11776; classtype:attempted-admin; sid:2026035; rev:4; metadata:affected_product Apache_Struts2, attack_target Client_Endpoint, created_at 2018_08_24, deployment Perimeter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_12;)
  65. alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:""ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Fuzzing Inbound M1""; flow:established,to_server; http.method; content:""GET""; http.uri; content:""&handle=java.""; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; classtype:attempted-admin; sid:2031144; rev:1; metadata:created_at 2020_10_30, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Informational, updated_at 2020_10_30;)
  66. alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:""ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M1 (CVE-2020-14882)""; flow:established,to_server; http.method; content:""GET""; http.uri; content:""console.portal?""; content:"".sh.ShellSession|28|""; distance:0; fast_pattern; reference:url,packetstormsecurity.com/files/159769/Oracle-WebLogic-Server-Remote-Code-Execution.html; reference:cve,2020-14882; classtype:attempted-admin; sid:2031143; rev:3; metadata:created_at 2020_10_30, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, performance_impact Low, signature_severity Major, updated_at 2020_11_06;)
  67. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET WEB_SPECIFIC_APPS Possible Apache Unomi MVEL Eval RCE Inbound M1 (CVE-2020-13942)""; flow:established,to_server; http.method; content:""POST""; http.request_body; content:""condition|22 3a|""; content:""|22|script|3a 3a|""; distance:0; fast_pattern; reference:url,www.checkmarx.com/blog/apache-unomi-cve-2020-13942-rce-vulnerabilities-discovered/; reference:cve,2020-13942; classtype:attempted-admin; sid:2031219; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2020_11_19, cve CVE_2020_13942, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_11_19;)
  68. alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:""ET WEB_SPECIFIC_APPS Possible Oracle WebLogic RCE Inbound M3 (CVE-2020-14882)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""console.portal""; http.request_body; content:"".sh.ShellSession""; fast_pattern; pcre:""/^(?:\x28|%28)/R""; reference:url,github.com/jas502n/CVE-2020-14882; reference:cve,2020-14882; classtype:attempted-admin; sid:2031185; rev:3; metadata:created_at 2020_11_06, cve CVE_2020_14882, deployment Perimeter, deployment Internal, former_category WEB_SPECIFIC_APPS, updated_at 2020_12_04;)
  69. alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:""ET WEB_SPECIFIC_APPS Possible Apache Druid RCE Inbound (CVE-2021-25646)""; flow:established,to_server; http.method; content:""POST""; http.request_body; content:""|22|type|22 3a 20 22|javascript|22|""; fast_pattern; content:""|22|function|22 3a 20|""; pcre:""/^\x22[^\x22]*\x7b[^\x22]*\x7d[^\x22]*\x22[^\x22]*\x22{2}/Rm""; reference:cve,2021-25646; classtype:attempted-admin; sid:2032340; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2021_03_29, cve CVE_2021_25646, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_03_29;)
  70. alert http any any -> $HOME_NET any (msg:""ET EXPLOIT Netgear DGN Remote Command Execution""; flow:to_server,established; http.uri; content:""/setup.cgi?next_file=""; nocase; content:""&todo=syscmd&cmd=""; nocase; distance:0; content:""currentsetting.htm""; nocase; fast_pattern; reference:url,seclists.org/bugtraq/2013/Jun/8; classtype:attempted-recon; sid:2024916; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
  71. alert http any any -> $HOME_NET any (msg:""ET EXPLOIT AVTECH Unauthenticated Command Injection in DVR Devices""; flow:to_server,established; http.uri; content:""/Search.cgi?action=cgi_query""; nocase; fast_pattern; content:""&username=""; nocase; distance:0; content:""&password=""; nocase; distance:0; reference:url,github.com/Trietptm-on-Security/AVTECH; classtype:attempted-recon; sid:2024917; rev:2; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, former_category EXPLOIT, signature_severity Major, updated_at 2020_08_13;)
  72. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""ET EXPLOIT Realtek SDK Miniigd UPnP SOAP Command Execution CVE-2014-8361 - Outbound""; flow:established,to_server; http.method; content:""POST""; http.header; content:""SOAPAction|3a 20|urn|3a|schemas-upnp-org|3a|service|3a|WANIPConnection|3a|""; fast_pattern; http.request_body; content:""|3c|u|3a|AddPortMapping""; content:""|3c|NewRemoteHost|3e|""; distance:0; content:""|3c|NewInternalClient""; distance:0; content:""|3c 2f|NewInternalClient|3e|""; distance:0; content:""NewEnabled|3e|1""; distance:0; classtype:trojan-activity; sid:2027339; rev:3; metadata:attack_target IoT, created_at 2019_05_08, deployment Perimeter, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2020_08_31;)
  73. alert http any any -> any [5555,7547] (msg:""ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE ""; flow:to_server,established; http.header; content:""urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers""; nocase; fast_pattern; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023548; rev:5; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, signature_severity Major, updated_at 2020_10_07;)
  74. alert http $HOME_NET any -> $EXTERNAL_NET any (msg:""ET INFO Executable Download from dotted-quad Host""; flow:established,to_server; http.uri; content:"".exe""; endswith; nocase; http.host; content:"".""; offset:1; depth:3; content:"".""; within:4; content:"".""; within:4; pcre:""/^(?:\d{1,3}\.){3}\d{1,3}$/""; http.request_line; content:"".exe HTTP/1.""; fast_pattern; classtype:trojan-activity; sid:2016141; rev:7; metadata:created_at 2013_01_03, updated_at 2020_09_14;)
  75. alert http any any -> $HOME_NET 8080 (msg:""ET WORM TheMoon.linksys.router 2""; flow:to_server,established; http.method; content:""POST""; http.uri; content:""/tmUnblock.cgi""; reference:url,isc.sans.edu/forums/diary/Linksys+Worm+Captured/17630; reference:url,devttys0.com/2014/02/wrt120n-fprintf-stack-overflow/; classtype:trojan-activity; sid:2018132; rev:5; metadata:created_at 2014_02_13, updated_at 2020_07_07;)
  76. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT Cisco ASA XSS Attempt (CVE-2020-3580)""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/+CSCOE+/saml/sp/acs?tgname=""; fast_pattern; http.request_body; content:""=|22|><""; reference:url,twitter.com/ptswarm/status/1408050644460650502; reference:cve,2020-3580; classtype:web-application-attack; sid:2033994; rev:2; metadata:affected_product Web_Server_Applications, attack_target Networking_Equipment, created_at 2021_09_21, cve CVE_2020_3580, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2021_09_21;)
  77. alert http $HOME_NET any -> any any (msg:""ET MALWARE JAWS Webserver Unauthenticated Shell Command Execution""; flow:established,to_server; http.method; content:""GET""; http.uri.raw; content:""/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+""; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030092; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Major, updated_at 2020_05_04;)
  78. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET SCAN Tomcat Auth Brute Force attempt (admin)""; flow:to_server,established; threshold: type threshold, track by_src, count 5, seconds 30; http.header; content:""Authorization|3a| Basic YWRtaW46""; fast_pattern; reference:url,doc.emergingthreats.net/2008453; classtype:web-application-attack; sid:2008453; rev:9; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
  79. alert http $EXTERNAL_NET any -> any any (msg:""ET SCAN JAWS Webserver Unauthenticated Shell Command Execution""; flow:established,to_server; http.method; content:""GET""; http.uri.raw; content:""/shell?cd+/tmp|3b|rm+-rf+*|3b|wget+""; depth:29; fast_pattern; reference:md5,fea9e4132fc9d30bda5eb6b1d9d0b9b9; classtype:web-application-attack; sid:2030093; rev:2; metadata:affected_product Linux, attack_target Web_Server, created_at 2020_05_04, deployment Perimeter, signature_severity Minor, updated_at 2020_05_04;)
  80. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET WEB_SERVER PHP Possible php Remote File Inclusion Attempt""; flow:established,to_server; http.uri; content:"".php?""; content:""=php|3a|//""; reference:cve,2002-0953; reference:url,diablohorn.wordpress.com/2010/01/16/interesting-local-file-inclusion-method/; classtype:web-application-attack; sid:2013001; rev:5; metadata:created_at 2011_06_10, updated_at 2020_04_20;)
  81. alert http any any -> $HTTP_SERVERS any (msg:""ET WEB_SERVER ColdFusion administrator access""; flow:established,to_server; http.method; content:""GET""; nocase; http.uri; content:""/CFIDE/administrator""; nocase; reference:url,www.adobe.com/support/security/advisories/apsa13-01.html; classtype:web-application-attack; sid:2016184; rev:6; metadata:created_at 2013_01_09, updated_at 2020_04_22;)
  82. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SERVER Script tag in URI Possible Cross Site Scripting Attempt""; flow:to_server,established; http.uri; content:""</script>""; nocase; reference:url,ha.ckers.org/xss.html; reference:url,doc.emergingthreats.net/2009714; classtype:web-application-attack; sid:2009714; rev:8; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, former_category WEB_SERVER, signature_severity Major, tag XSS, tag Cross_Site_Scripting, updated_at 2020_08_20;)
  83. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SERVER CRLF Injection - Newline Characters in URL""; flow:established,to_server; http.uri; content:""|0D 0A|""; fast_pattern; pcre:""/[\n\r](?:content-(?:type|length)|set-cookie|location)\x3a/i""; reference:url,www.owasp.org/index.php/CRLF_Injection; classtype:web-application-attack; sid:2017143; rev:5; metadata:created_at 2013_07_13, updated_at 2020_09_18;)
  84. alert http any any -> $HTTP_SERVERS any (msg:""ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)""; flow:established,to_server; http.header; content:""Range|3a|""; nocase; content:""18446744073709551615""; fast_pattern; distance:0; pcre:""/^Range\x3a[^\r\n]*?18446744073709551615/mi""; reference:cve,2015-1635; classtype:web-application-attack; sid:2020912; rev:5; metadata:created_at 2015_04_15, updated_at 2020_10_13;)
  85. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET WEB_SERVER Cisco IOS HTTP Server Exec Command Execution Attempt""; flow:to_server,established; http.uri; content:""/level/15/exec/-/""; fast_pattern; nocase; pcre:""/\x2Flevel\x2F15\x2Fexec\x2F\x2D\x2F[a-z]/i""; reference:url,doc.emergingthreats.net/2010623; classtype:web-application-attack; sid:2010623; rev:7; metadata:created_at 2010_07_30, updated_at 2020_10_13;)
  86. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS Wordpress Google Doc Embedder plugin file parameter Local File Inclusion Attempt""; flow:established,to_server; content:""|2e 2e 2f|""; depth:200; http.uri; content:""/wp-content/plugins/google-document-embedder/libs/pdf.php?""; nocase; fast_pattern; content:""file=""; nocase; reference:url,secunia.com/advisories/50832; classtype:web-application-attack; sid:2016158; rev:3; metadata:affected_product Web_Server_Applications, affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2013_01_05, deployment Datacenter, signature_severity Major, tag Local_File_Inclusion, tag Wordpress, updated_at 2020_04_22;)
  87. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS Possible Apache Struts OGNL Expression Injection (CVE-2017-5638) (Content-Disposition) M1""; flow:to_server,established; http.header; content:""multipart/form-data""; nocase; http.request_body; content:""Content-Disposition|3a|""; nocase; content:""filename""; nocase; pcre:""/^[^\r\n]*filename\s*=\s*[^\x3b\x3a\r\n]*[\x25\x24]\s*\{[^\r\n]{20,}\}/mi""; reference:url,community.hpe.com/t5/Security-Research/Struts2-046-A-new-vector/ba-p/6949723#.WNF-_kcpDUJ; classtype:web-application-attack; sid:2024096; rev:4; metadata:affected_product Apache_Struts2, attack_target Web_Server, created_at 2017_03_20, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_08_04;)
  88. alert http $EXTERNAL_NET any -> $HOME_NET any (msg:""ET WEB_SPECIFIC_APPS ECSHOP user.php SQL INJECTION via Referer""; flow:established,to_server; http.uri; content:""/user.php""; http.referer; content:""SELECT""; nocase; content:""UNION""; nocase; content:"",4,5,6,7,8,0x""; fast_pattern; reference:url,github.com/theLSA/ecshop-getshell; reference:url,github.com/Hzllaga/EcShop_RCE_Scanner/; reference:url,xz.aliyun.com/t/2689?from=groupmessage; classtype:web-application-attack; sid:2027416; rev:2; metadata:attack_target Web_Server, created_at 2019_05_31, deployment Perimeter, former_category WEB_SPECIFIC_APPS, performance_impact Moderate, signature_severity Major, updated_at 2020_08_31;)
  89. alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS WP Generic revslider Arbitrary File Download""; flow:established,to_server; http.uri; content:""/admin-ajax.php?""; fast_pattern; content:""slider_show_image""; pcre:""/^[^\r\n]*(?:%2(?:52e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|e(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))|\.(?:%2(?:52e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)|e(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/))|\.(?:%(?:c(?:0%af|1%9c)|(?:25)?2f)|5c|\/)))/Rim""; reference:url,blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html; classtype:web-application-attack; sid:2020221; rev:6; metadata:created_at 2015_01_21, updated_at 2020_09_29;)
  90. alert http any any -> $HTTP_SERVERS any (msg:""ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt""; flow:to_server,established; http.method; content:""PUT""; http.uri; content:"".jsp/""; nocase; fast_pattern; pcre:""/\.jsp\/[^\x2f]*$/i""; reference:cve,2017-12617; reference:cve,2017-12615; classtype:web-application-attack; sid:2024808; rev:6; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2017_10_05, deployment Datacenter, former_category WEB_SPECIFIC_APPS, signature_severity Major, updated_at 2020_10_09;)
  91. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Attempt to clear logs""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/_ignition/execute-solution/""; startswith; fast_pattern; http.request_body; content:""|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|""; content:""|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|""; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033079; rev:1; metadata:attack_target Web_Server, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
  92. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Payload Execution Attempt""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/_ignition/execute-solution/""; startswith; fast_pattern; http.request_body; content:""|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|""; content:""|22|viewFile|22 3a 20 22|phar|3a 2f 2f|""; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033080; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
  93. alert http $HOME_NET any -> any any (msg:""ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Attempt to clear logs""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/_ignition/execute-solution/""; startswith; fast_pattern; http.request_body; content:""|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|""; content:""|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|""; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033081; rev:2; metadata:attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
  94. alert http $HOME_NET any -> any any (msg:""ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt""; flow:established,to_server; http.method; content:""POST""; http.uri; content:""/_ignition/execute-solution/""; startswith; fast_pattern; http.request_body; content:""|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|""; content:""|22|viewFile|22 3a 20 22|phar|3a 2f 2f|""; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033082; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_06_03, cve CVE_2021_3129, deployment Perimeter, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, signature_severity Major, updated_at 2021_06_03;)
  95. alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:""ET SCAN Laravel Debug Mode Information Disclosure Probe Inbound""; flow:established,to_server; http.method; content:""POST""; http.request_body; content:""0x%5B%5D=androxgh0st""; nocase; fast_pattern; reference:url,thedfirreport.com/2021/02/28/laravel-debug-leaking-secrets/; classtype:attempted-recon; sid:2034508; rev:1; metadata:created_at 2021_11_18, former_category SCAN, updated_at 2021_11_18;)
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!