Наші новини


Дізнайтеся першими про результати нашої роботи та останні новини
в сфері інформаційної безпеки

Cohpw4uXbODp4Ap7NftTP98Fv7x4cuUbDcd4lL7c.jpeg

 

Попереджаємо про можливу масштабну кібератаку в Україні з використанням ШПЗ VPNFilter.

VPNFilter - це шкідливе програмне збезпечення, яке націлене на мережеві пристрої . VPNFilter дозволяє зловмисникам перехоплювати весь трафік, що проходить через уражений пристрій (включаючи дані авторизації та персональні дані платіжних систем), збирати та вивантажувати інформацію, віддалено керувати інфікованим пристроєм та навіть виводити його з ладу. Також присутній функціонал для моніторингу протоколів Modbus SCADA.

Список пристроїв, на яких впливає VPNFilter, включає мережеве обладнання Linksys, MikroTik, NETGEAR та TP-Link, а також пристрої для зберігання даних на базі мережі QNAP (NAS). 

VPNFilter може заблокувати пристрій і зробити його непридатним для використання. Через те, що зловмисне програмне забезпечення може спрацьовувати відразу для окремих або декількох пристроїв, VPNFilter може відключити доступ до Інтернету для сотень тисяч користувачів. Мережеві прилади інших виробників та моделей можуть бути вразливі також. В даний час вірус досліджується.

Прилади, на які направлена атака, важко захистити. Зазвичай вони знаходяться за захищеним периметром і не мають своєї системи захисту. Зараз відсутня інформація про конкретну вразливість, за допомогою якої відбувалось зараження. Більшість заражених приладів мали загальновідомі вразливості, які усуваються оновленнями прошивок, або мали стандартні облікові дані для входу, що значно полегшувало зараження.

 

Зараження пристроїв відбувається в три стадії.

Стадія 1:

Задачею ШПЗ, яке завантажується на стадії 1 є завантаження ШПЗ стадії 2. Вірус використовує декілька методів для завантаження вірусу другої стадії. Якщо одна із спроб є успішною вірус запускає вірус стадії 2 і переходить в сплячий режим і періодично перевіряє коректність роботи вірусу стадії 2.

Вірус попадає на мережеві прилади за допомогою використання загальновідомих вразливостей (для більшості з яких існують оновлення) та пристрої, в яких стояли логіни та паролі за замовчуванням.

Також в залежності від моделі приладу вірус стадії 1 використовує різні механіки стійкості до перезавантажень.

Дії вірусу стадії 1:

  1. Намагається завантажити одне із декількох зображень на сайті photobucket.com. Якщо отримано правильне зображення та закодовану ІР-адресу, підключається до неї по SSL за допомогою спеціального SSL-сертифіката вшитого в вірус.
  2. Завантажує з командно-контрольного центру файл в директорії /update/<filename> де <filename> - це назва моделі вразливого пристрою (наприклад,  qnapx86 для пристроїв Qnap NAS).
  3. Відсилає HTTP GET запит на командно-контрольний центр toknowall[.]com для завантаження файлу /manage/content/update.php
  4. Намагається розпакувати спеціальний Exif заголовок з закодованою
    ІР-адресою сервера для завантаження вірусу стадії 2.
  5. Під’єднується до серверу завантаження аналогічно до етапу 1-2.
  6. Відкриває сокет на WAN інтерфейсі для прослуховування спеціально сформованих пакетів, які містять закодовану ІР-адресу сервера для завантаження вірусу стадії 2. Якщо такий пакет отримано намагається з’єднатися до серверу як описано в етапі 1-2.

Стадія 2:

Вірус стадії 2, процес з іменем “vpnfilter” записується вірусом стадії 1 в конкретну створену директорію, яка видаляється після перезавантаження. Вірус має контрольований зловмисниками функціонал для включення TOR або використання SOCKS5 через прооксі SSL/TLS з використанням вбудованого SSL-сертифіката запакованого вірусом стадії 1.

Функціонал вірусу стадії 2:

download – завантаження файлів з конкретної URL;

execute – виконання shell команди в системі;

reboot -  перезавантаження приладу. Під час перезавантаження вірус стадії 2 видаляється;

port – змінює порт для з’єднання з командно-контрольним сервером

kill – виводить пристрій з ладу, перезаписуючи файлову систему та перезавантажується

delay – зміню період часу перевірки вірусом стадії 1 наявність вірусу стадії 2

copy– робить копію вмісту певного файлу з файлової системи до нового файлу в каталозі, який постійно перевіряється вірусом стадії 2.

Після виконання будь-якої з команд вірус ініціює передачу всіх файлів розташованих у директорії створеній вірусом vpnfilterw на командно-контрольний центр. Передача триває не більше 2 хвилин.

Стадія 3:

На стадії 3 було виявлено завантаження сніфера пакетів, який перехоплює весь мережевий трафік і шукає рядки, які містять дані автентифікації HTTP. Крім того, він відслідковує пакети TCP/IP Modbus, які використовуються в SCADA системах. Журнальні файли сніфера, також, зберігаються в директорії var/run/vpnfilterw .

Також завантажується модуль Tor, який частково зв’язаний з вірусом стадії 2. Він завантажується в директорію /var/run/tor, створює файл конфігурації /var/run/torrc і каталог /var/run/tord.

 

Варто зазначити що ШПЗ VPNFilter ще досліджується, можливо існують інші модулі вірусу, або інші методи зараження.

 

Список вразливих пристроїв:

LINKSYS DEVICES:

E1200
E2500
WRVS4400N

ВІРТУАЛЬНІ МАРШРУТИЗАТОРИ MIKROTIK ROUTEROS ДЛЯ CLOUD CORE МАРШРУТИЗАТОРІВ:

1016
1036
1072

ПРИСТРОЇ NETGEAR:

DGN2200
R6400
R7000
R8000
WNR1000
WNR2000

ПРИСТРОЇ QNAP:

TS251
TS439 Pro

Інші пристрої QNAP NAS, що працюють на програмному забезпеченні QTS

ПРИСТРОЇ TP-LINK:

R600VPN

 

Шкідливі домени та IP-адреси (С2):

photobucket [.] com / user / nikkireed11 / library
photobucket [.] com / user / kmila302 / library
photobucket [.] com / user / lisabraun87 / library
photobucket [.] com / user / eva_green1 / library
photobucket [.] com / user / monicabelci4 / library
photobucket [.] com / user / katyperry45 / library
photobucket [.] com / user / saragray1 / library
photobucket [.] com / user / millerfred / library
photobucket [.] com / user / jeniferaniston1 / library
photobucket [.] com / user / amandaseyfried1 / library
photobucket [.] com / user / suwe8 / library
photobucket [.] com / user / bob7301 / library
toknowall [.] com
91.121.109 [.] 209
217.12.202 [.] 40
94.242.222 [.] 68
82.118.242 [.] 124
46.151.209 [.] 33
217.79.179 [.] 14
91.214.203 [.] 144
95.211 .198 [.] 231
195.154.180 [.] 60
5.149.250 [.] 54
91.200.13 [.] 76
94.185.80 [.] 82
62.210.180 [.] 229
zuh3vcyskd4gipkm [.] Onion / bin32 / update .php

 

Шкідливі файли:

Стадія 1:

 

Стадія 2: 

9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17

https://www.virustotal.com/#/file/9683b04123d7e9fe4c8c26c69b09c2233f7e1440f828837422ce330040782d17/detection


d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e

https://www.virustotal.com/#/file/d6097e942dd0fdc1fb28ec1814780e6ecc169ec6d24f9954e71954eedbc4c70e/detection


4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b

https://www.virustotal.com/#/file/4b03288e9e44d214426a02327223b5e516b1ea29ce72fa25a2fcef9aa65c4b0b/detection


9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387

https://www.virustotal.com/#/file/9eb6c779dbad1b717caa462d8e040852759436ed79cc2172692339bc62432387/detection


37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4

https://www.virustotal.com/#/file/37e29b0ea7a9b97597385a12f525e13c3a7d02ba4161a6946f2a7d978cc045b4/detection


776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d

https://www.virustotal.com/#/file/776cb9a7a9f5afbaffdd4dbd052c6420030b2c7c3058c1455e0a79df0e6f7a1d/detection


8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1

https://www.virustotal.com/#/file/8a20dc9538d639623878a3d3d18d88da8b635ea52e5e2d0c2cce4a8c5a703db1/detection


0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b

https://www.virustotal.com/#/file/0649fda8888d701eb2f91e6e0a05a2e2be714f564497c44a3813082ef8ff250b/detection

 

Стадія 3:

 

Файли та директорії які створюються в файловій системі пристрою:

/var/run/vpnfilterw

/var/client.key

/var/client.crt

/var/client_ca.crt

/var/vpnfilter*

/var/run/vpnfilter*

/var/msvf.pid

/var/run/msvf.pid

/var/run/tor

/var/run/torrc

/var/run/tord

САМОСТІЙНО ПІДПИСАНИЙ СЕРТИФІКАТ

d113ce61ab1e4bfcb32fb3c53bd3cdeee81108d02d3886f6e2286e0b6a006747
c52b3901a26df1680acbfb9e6184b321f0b22dd6c4bb107e5e071553d375c851
f372ebe8277b78d50c5600d0e2af3fe29b1e04b5435a7149f04edd165743c16d
be4715b029cbd3f8e2f37bc525005b2cb9cad977117a26fac94339a721e3f2a5
27af4b890db1a611d0054d5d4a7d9a36c9f52dffeb67a053be9ea03a495a9302
110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8
fb47ba27dceea486aab7a0f8ec5674332ca1f6af962a1724df89d658d470348f
b25336c2dd388459dec37fa8d0467cf2ac3c81a272176128338a2c1d7c083c78
cd75d3a70e3218688bdd23a0f618add964603736f7c899265b1d8386b9902526
110da84f31e7868ad741bcb0d9f7771a0bb39c44785055e6da0ecc393598adc8
909cf80d3ef4c52abc95d286df8d218462739889b6be4762a1d2fac1adb2ec2b
044bfa11ea91b5559f7502c3a504b19ee3c555e95907a98508825b4aa56294e4
c0f8bde03df3dec6e43b327378777ebc35d9ea8cfe39628f79f20b1c40c1b412
8f1d0cd5dd6585c3d5d478e18a85e7109c8a88489c46987621e01d21fab5095d

 

 

Корисні посилання:

https://blog.talosintelligence.com/2018/05/VPNFilter.html

https://blogs.cisco.com/security/talos/vpnfilter

https://www.us-cert.gov/ncas/current-activity/2018/05/23/VPNFilter-Destructive-Malware

 

Рекомендації:

  • Користувачам та власникам мережевих пристроїв необхідно невідкладно здійснити їх перезавантаження та скинути їх налаштування до налаштувань за замовченням для видалення вірусу з оперативної пам'яті пристроїв.

  • Оновити мережеві пристрої до актуальних версій прошивок. Інформація про оновлення та актуальні версії знаходиться на офіційних сайтах виробників. 

Через потенціал руйнівних дій, ми рекомендуємо, щоб всі зазначені заходи були зроблені. 

 

SNORT правила для виявлення заражених пристроїв та спроби завантаження вірусу:

Правила для виявлення активності вірусу:

alert tcp any any -> any any (msg:"Malware C2 Magic Packet"; flow:not_established,no_stream;
flags:S; dsize:>7; content:"|0c 15 22 2b|"; fast_pattern; isdataat:3,relative; sid:2;)alert tcp $EXTERNAL_NET [443,8443] -> $HOME_NET any (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_client,established; content:"|09 4d 69 63 72 6f 73 6f 66 74 31 10 30 0e 06 03 55 04 0b 13 07 53 75 70 70 6f 72 74 31 0b 30 09 06 03 55 04 03 13 02 63 61|";
fast_pattern:only; metadata:service http; classtype:trojan-activity;)                                                         
alert tcp $HOME_NET any -> $EXTERNAL_NET [443,8443] (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; content:"|09 4d 69 63 72 6f 73 6f 66 74 31 10 30 0e 06 03 55 04 0b 13 07 53 75 70 70 6f 72 74 31 0b 30 09 06 03 55 04 03 13 02 63 61|"; fast_pattern:only; metadata:service http; classtype:trojan-activity;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/0e0094d9bd396a6594da8e21911a3982cd737b445f591581560d766755097d92 /analysis/; classtype:trojan-activity; sid:45563; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0|0D 0A|Host: "; fast_pattern:only; http_header; content:"Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A 0D 0A|"; http_header; content:!"Cookie:"; http_header;
content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/50ac4fcd3fbc8abcaa766449841b3a0a684b3e217fc40935f1ac22c34c58a9ec/ analysis/; classtype:trojan-activity; sid:45564; rev:2;)
alert tcp any any -> any any (msg:"Malware Client Certificate"; flow:established,to_server; content:"|
31 10 30 0e 06 03 55 04 0b 13 07 53 75 70 70 6f 72 74 31 0b 30 09 06 03 55 04 03 13 02 63 61|";
fast_pattern; content:"|31 10 30 0e 06 03 55 04 0b 13 07 53 75 70 70 6f 72 74 31 0e 30 0c 06 03 55
04 03 13 05 75 73 65 72 73|"; distance:0; within:112; sid:1;)
alert tcp any any -> any any (msg:"Malware C2 Magic Packet"; flow:not_established,no_stream;
flags:S; dsize:>7; content:"|0c 15 22 2b|"; fast_pattern; isdataat:3,relative; sid:2;)

 

 

Правила для вивлення активності вірусу на конкретних пристроях:


Linksys, Cisco                                                         


Linksys E1200v2 & Linksys E2500 & Cisco WRVS4400N
CVE-2012-5958
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy security-ips drop, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:25589; rev:4;)
Linksys E1200v2 & Linksys E2500
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"action=gozila"; nocase; http_client_body; pcre:"/&?(ping(%5f|_)size=(%26|&)[^&\r\n]+?(%26&|&&)?|next_page=[^&\r\n]+?\.\.\/|submit_button=[^&\r\n]+?(?:%0[ad])?|wait_time=[^&\x2e\d\r\n]+?)/Pi"; metadata:service http; classtype:attempted-admin; sid:26276; rev:2;)
Linksys E1200v2 & Linksys E2500
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi multiple vulnerabilities attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"action=gozila"; nocase; http_uri; pcre:"/&?(ping(%5f|_)size=(%26|&)[^&\r\n]+?(%26&|&&)?|next_page=[^&\r\n]+?\.\.\/|submit_button=[^&\r\n]+?(?:%0[ad])?|wait_time=[^&\x2e\d\r\n]+?)/Ui"; metadata:service http; classtype:attempted-admin; sid:26277; rev:2;)
Linksys E1200v2 & Linksys E2500        
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_client_body; content:"PasswdModify=1"; nocase; http_client_body; content:"http_passwd="; nocase; http_client_body; content:"http_passwdConfirm="; nocase; http_client_body; metadata:service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26278; rev:2;)
Linksys E1200v2 & Linksys E2500        
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_uri; content:"PasswdModify=1"; nocase; http_uri; content:"http_passwd="; nocase; http_uri; content:"http_passwdConfirm="; nocase; http_uri; metadata:service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26279; rev:3;)
Linksys E1200v2 & Linksys E2500        
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:established,to_server; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"%74%74%63%70%5f%69%70"; http_client_body; pcre:"/%74%74%63%70%5f%69%70%3d.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29830; rev:3;)
Linksys E1200v2 & Linksys E2500        
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:established,to_server; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"ttcp_ip"; http_client_body; pcre:"/ttcp_ip=.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29831; rev:3;)
Linksys E1200v2 & Linksys E2500 & Cisco WRVS4400N
CVE-2012-5962
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"NOTIFY "; depth:7; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy security-ips drop, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:44743; rev:1;)
Linksys E1200v2 & Linksys E2500
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"wait_time="; nocase; http_uri; pcre:"/[?&]wait_time=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46080; rev:1;)
Linksys E1200v2 & Linksys E2500
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi wait_time cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"wait_time="; nocase; http_client_body; pcre:"/wait_time=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pim"; metadata:service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46081; rev:1;)
Linksys E1200v2 & Linksys E2500
CVE-2013-3307
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46082; rev:1;)
Linksys E1200v2 & Linksys E2500
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_client_body; pcre:"/(^|&)next_page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46083; rev:1;)
Linksys E1200v2 & Linksys E2500
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]next_page=[^&]*?\x2e\x2e\x2f/Ui"; metadata:service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46084; rev:1;)
Linksys E1200v2 & Linksys E2500
CVE-2013-3307
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; pcre:"/[?&]ping_(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46085; rev:1;)
Linksys E1200v2 & Linksys E2500
CVE-2013-3307
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)(ip|size|times)=[^&]*?%26/Ii"; metadata:service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46086; rev:1;)
Linksys E1200v2 & Linksys E2500
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E series denial of service attempt"; flow:to_server,established; content:"mfgtst.cgi"; fast_pattern:only; http_uri; metadata:service http; classtype:denial-of-service; sid:46287; rev:1;)
Cisco WRVS4400N
CVE-2014-0659
alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"MMcS"; depth:4; reference:cve,2014-0659; classtype:misc-activity; sid:46121; rev:1;)
Cisco WRVS4400N
CVE-2014-0659
alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"ScMM"; depth:4; reference:cve,2014-0659; classtype:misc-activity; sid:46122; rev:1;)
Cisco WRVS4400N
CVE-2014-0659
alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"MMcS"; depth:4; reference:cve,2014-0659; classtype:misc-activity; sid:46123; rev:1;)
Cisco WRVS4400N
CVE-2014-0659
alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"ScMM"; depth:4; reference:cve,2014-0659; classtype:misc-activity; sid:46124; rev:1;)


QNAP                                                                      


QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 03|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33777; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 06|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33778; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 0B|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33779; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 0E|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33780; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 11|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33781; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 14|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33782; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 17|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33783; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 19|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33784; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade cipher suite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 03|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33785; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 06|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33786; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 08|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33787; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 0B|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33788; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 0E|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33789; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 11|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33790; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 14|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33791; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 17|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33792; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 19|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33793; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 08|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33794; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 26|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33795; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 27|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33796; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 28|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33797; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 29|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33798; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 2A|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33799; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-OTHER SSL export grade ciphersuite server negotiation attempt"; flow:to_client,established; ssl_state:server_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|02|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 2B|"; within:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33800; rev:5;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 26|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33801; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 27|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33802; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 28|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33803; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 29|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33804; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 2A|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33805; rev:4;)
QNAP TS251 & TS439 Pro
CVE-2015-4000
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"SERVER-OTHER SSL request for export grade ciphersuite attempt"; flow:to_server,established; ssl_state:client_hello; ssl_version:sslv3,tls1.0,tls1.1,tls1.2; content:"|01|"; depth:1; offset:5; content:"|03|"; within:1; distance:3; byte_test:1,<,4,0,relative; byte_jump:1,33,relative; content:"|00 2B|"; within:2; distance:2; metadata:service ssl; reference:cve,2015-0204; reference:cve,2015-1637; reference:cve,2015-4000; reference:url,freakattack.com; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-031; classtype:policy-violation; sid:33806; rev:4;)
QNAP TS251 & TS439 Pro
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP remote buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; http_uri; content:"p="; http_uri; isdataat:263,relative; content:!"&"; within:263; http_uri; content:!"|0D 0A|"; within:263; http_uri; metadata:ruleset community, service http; reference:url,seclists.org/bugtraq/2017/Jan/5; classtype:attempted-admin; sid:41445; rev:1;)
QNAP TS251 & TS439 Pro
alert tcp $EXTERNAL_NET any -> $HOME_NET 9251 (msg:"SERVER-OTHER QNAP transcode server command injection attempt"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; content:"|7C|"; distance:0; content:"|09|"; within:50; reference:url,www.qnap.com/en-us/; classtype:attempted-admin; sid:44971; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2013-0143
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; pcre:"/[?&]ping_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46297; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2013-0143
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)ip=[^&]*?%26/Ii"; metadata:service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46298; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2013-0143
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46299; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2013-0143
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?ping_ip((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46300; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2017-17027 through CVE-2017-17032
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow"; flow:to_server,established; content:"/cgi-bin/filemanager/wfm2Login.cgi"; fast_pattern:only; http_uri; content:"X-Forwarded-For"; nocase; http_raw_header; isdataat:90,relative; pcre:"/X-Forwarded-For:[^\n\r]{90}/Hsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.qnap.com/en/security-advisory/nas-201712-15; classtype:web-application-attack; sid:46301; rev:1;)
QNAP TS251 & TS439 Pro
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri; pcre:"/[?&]SMB_(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:46305; rev:1;)
QNAP TS251 & TS439 Pro
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:46306; rev:1;)
QNAP TS251 & TS439 Pro
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB"; nocase; http_client_body; pcre:"/(^|&)SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:46307; rev:1;)
QNAP TS251 & TS439 Pro
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?SMB_(LOCATION|USERNAME)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:web-application-attack; sid:46308; rev:1;)
QNAP TS251 & TS439 Pro
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; content:"p="; nocase; http_uri; isdataat:260,relative; pcre:"/[?&]p=[^&\s]{260}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:46309; rev:1;)
QNAP TS251 & TS439 Pro
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; isdataat:35,relative; pcre:"/[?&]u=[^&\s]{35}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; classtype:attempted-admin; sid:46310; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2014-7228
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla restore.php PHP object injection attempt"; flow:to_server,established; content:"/administrator/components/com_joomlaupdate/restore.php"; fast_pattern:only; http_uri; content:"factory="; nocase; http_uri; content:"OjI2OiJraWNrc3RhcnQuc2V0dXAuc291cmNlZmlsZSI7"; content:"aHR0cDovL"; metadata:service http; reference:cve,2014-7228; classtype:web-application-attack; sid:46315; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2015-7261
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"SERVER-OTHER QNAP QTS hard coded credential access attempt"; flow:to_server,established; content:"PASS joxu06wj/|0D 0A|"; fast_pattern:only; metadata:service ftp; reference:cve,2015-7261; classtype:default-login-attempt; sid:46335; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2014-7229
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt"; flow:to_server,established; content:"administrator/components/com_joomlaupdate/restoration.php"; fast_pattern:only; http_uri; metadata:service http; reference:cve,2014-7229; classtype:web-application-attack; sid:46340; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2014-7229
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt"; flow:to_client,established; file_data; content:"administrator/index.php"; fast_pattern:only; content:"option=com_joomlaupdate"; nocase; content:"task=update.install"; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2014-7229; classtype:web-application-attack; sid:46341; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2013-0144
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER QNAP QTS cross site request forgery attempt"; flow:to_client,established; file_data; content:"cgi-bin/create_user.cgi"; fast_pattern:only; content:"function="; nocase; content:"subfun="; nocase; content:"NAME="; nocase; content:"PASSWD="; nocase; content:"VERIFY="; nocase; metadata:service ftp-data, service http, service imap, service pop3; reference:cve,2013-0144; classtype:attempted-admin; sid:46342; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2016-3074
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|"; fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,16,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46376; rev:1;)
QNAP TS251 & TS439 Pro
CVE-2016-3074
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|"; fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46377; rev:1;)

 

MikroTik                                                                  


MikroTik CCR 1016 & 1036
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE malicious file download attempt"; flow:to_server,established; content:"|2F 70 6F 63|"; http_uri; pcre:"/\x2f\x70\x6f\x63(\d*|\x5f[\x61-\x7a]+)\x2e(\x68\x74\x6d\x6c|\x78(\x6c\x73|\x73\x6c|\x6d\x6c)|\x6a(\x73|\x61\x76a)|\x61\x73\x70|\x70(\x64f|\x70\x74|\x48\x70|\x73\x64)|\x66\x6c\x76|\x73\x77\x66|\x64\x6fc|\x74\x74\x66|\x62\x6d\x70|\x6d(\x70\x33|\x33\x75))/Ui"; metadata:policy max-detect-ips drop, service http; classtype:misc-activity; sid:37963; rev:2;)
MikroTik CCR 1016 & 1036
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt"; flow:to_server,established; content:"/jsproxy"; depth:8; fast_pattern; nocase; http_uri; content:"|0D 0A|Content-Length: "; nocase; byte_test:10,>,0x20000,0,relative,string,dec; metadata:policy security-ips drop, service http; reference:url,forum.mikrotik.com/viewtopic.php?t=119308; classtype:attempted-admin; sid:45555; rev:1;)
MikroTik CCR 1016 & 1036
CVE-2018-7445
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS MikroTik RouterOS buffer overflow attempt"; flow:to_server,established; content:"|81 00|"; depth:2; byte_test:2,>,75,0,relative; byte_extract:2,0,len,relative; isdataat:!len,relative; isdataat:len; metadata:policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:bugtraq,103427; reference:cve,2018-7445; classtype:attempted-user; sid:46076; rev:1;)
MikroTik CCR 1016 & 1036    
CVE-2017-7285    
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel Challenge ACK provocation attempt"; flow:to_server; flags:+R; detection_filter:track by_src, count 200, seconds 1; reference:bugtraq,91704; reference:cve,2016-5696; classtype:attempted-admin; sid:40063; rev:1;)
MikroTik CCR 1016 & 1036
CVE-2012-6050
alert tcp $EXTERNAL_NET any -> $HOME_NET 8291 (msg:"SERVER-OTHER Mikrotik RouterOS denial of service attempt"; flow:to_server,established; content:"|12 02|"; depth:2; content:"|FF ED 00 00 00 00|"; distance:0; reference:cve,2012-6050; classtype:denial-of-service; sid:44643; rev:1;)
MikroTik CCR 1016 & 1036
CVE-2015-2350
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt"; flow:to_server,established; content:"/cfg"; fast_pattern:only; http_uri; content:"process=password"; nocase; http_uri; content:"password1="; nocase; http_uri; content:"password2="; nocase; http_uri; content:"button="; nocase; http_uri; metadata:service http; reference:bugtraq,73013; reference:cve,2015-2350; classtype:policy-violation; sid:44790; rev:1;)

 

Netgear                                                                   


Netgear R7000 & R6400
CVE-2016-6277
alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; content:"/cgi-bin/|3B|"; nocase; http_uri; content:"$"; distance:0; http_uri; content:"IFS"; within:4; http_uri; metadata:service http; reference:bugtraq,35742; reference:bugtraq,94819; reference:cve,2009-2765; reference:cve,2016-6277; classtype:attempted-admin; sid:26275; rev:3;)
Netgear WNDR4700 & R6200
CVE-2013-3071
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; fast_pattern:only; http_uri; metadata:service http; reference:bugtraq,59406; reference:cve,2013-3071; reference:url,osvdb.org/show/osvdb/92555; classtype:attempted-admin; sid:35734; rev:1;)
Netgear WNR2000
CVE-2016-10176
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt"; flow:to_server,established; content:"/apply_noauth.cgi"; depth:17; nocase; http_uri; metadata:policy security-ips drop, service http; reference:cve,2016-10176; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41095; rev:3;)
Netgear WNR2000
CVE-2016-10174
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt"; flow:to_server,established; content:"/lang_check"; nocase; http_uri; content:"hidden_lang_avi="; nocase; http_client_body; isdataat:36,relative; content:!"&"; within:36; http_client_body; metadata:policy security-ips drop, service http; reference:cve,2016-10174; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41096; rev:2;)
Netgear R6400 & R7000 & R8000
CVE-2017-5521
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt"; flow:to_server,established; content:"/passwordrecovered.cgi"; fast_pattern:only; http_uri; content:"id="; nocase; metadata:policy security-ips drop, service http; reference:bugtraq,95457; reference:cve,2017-5521; reference:url,kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability; classtype:attempted-recon; sid:41504; rev:1;)
Netgear DGN2200
CVE-2017-6077
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_client_body; pcre:"/(^|&)ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy security-ips drop, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41698; rev:1;)
Netgear DGN2200
CVE-2017-6077
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping_IPAddr=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41699; rev:1;)
Netgear DGN2200
CVE-2017-6077
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_uri; pcre:"/[?&]ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy security-ips drop, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41700; rev:1;)
Netgear DGN2200
CVE-2017-6334
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?host_name((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy security-ips drop, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41748; rev:1;)
Netgear DGN2200
CVE-2017-6334
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_client_body; pcre:"/(^|&)host_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy security-ips drop, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41749; rev:1;)
Netgear DGN2200
CVE-2017-6334
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]host_name=[^&]*?%26/Ii"; metadata:policy security-ips drop, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41750; rev:1;)
Netgear DGN2200
CVE-2017-6334
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_uri; pcre:"/[?&]host_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy security-ips drop, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41751; rev:1;)
Netgear DGN2200
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"currentsetting.htm"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44687; rev:1;)
Netgear DGN2200
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"todo=syscmd"; fast_pattern:only; content:"cmd="; nocase; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44688; rev:1;)
Netgear R6400 & R7000 & R8000
CVE-2016-6277
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"$IFS"; http_uri; metadata:service http; classtype:web-application-attack; sid:44698; rev:1;)
Netgear R6400 & R7000 & R8000
CVE-2016-6277
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"${IFS}"; http_uri; metadata:service http; classtype:web-application-attack; sid:44699; rev:1;)
Netgear WNR2000
CVE-2016-10175
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information leak attempt"; flow:to_server,established; content:"/BRS_netgear_success.html"; fast_pattern:only; http_uri; metadata:policy security-ips drop, service http; reference:cve,2016-10175; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-recon; sid:45001; rev:1;)
Netgear WNR2000
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/NETGEAR_WNR2000.cfg"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46312; rev:1;)
Netgear WNR2000
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/upg_restore.cgi"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46313; rev:1;)
Netgear WNR2000
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/router-info.htm"; fast_pattern:only; http_uri; metadata:service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46314; rev:1;)
Netgear DGN2200
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server,established; content:"|C0 F3 AC 2A 40 79 49 0C A3 6E 89 64 73 66 0F 0B|"; content:"|5D FC 67 3A 16 DC 00 56 A3 6E 89 64 73 66 0F 0B|"; classtype:attempted-admin; sid:46317; rev:1;)
Netgear DGN2200
alert udp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server; content:"|59 0D B1 E7 67 23 51 BA 5B 5D 52 33 91 0D 09 7F|"; content:"|09 44 80 0E DE B6 FA 3B 5B 5D 52 33 91 0D 09 7F|"; classtype:attempted-admin; sid:46318; rev:1;)
Netgear DGN2200
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; content:"/wlg_sec_profile_main.cgi"; fast_pattern:only; http_uri; content:"ssid="; nocase; http_client_body; pcre:"/ssid=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46322; rev:1;)
Netgear DGN2200
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; content:"/fw_serv_add.cgi"; fast_pattern:only; http_uri; content:"userdefined="; nocase; http_client_body; pcre:"/userdefined=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46323; rev:1;)


TP-Link                                                                   


TP-Link R600VPN
alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt"; flow:to_server; dsize:>336; content:"|01 01 00|"; depth:3; byte_test:4,>=,0x0264,4,big; metadata:policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-user; sid:40866; rev:2;)
TP-Link R600VPN
alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt"; flow:to_server; content:"|01 02 00|"; depth:3; content:"|00 00|"; within:2; distance:7; metadata:policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-recon; sid:40907; rev:1;)
TP-Link R600VPN
CVE-2013-5211
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt"; flow:to_server; content:"M-SEARCH"; depth:9; content:"ssdp:all"; fast_pattern:only; detection_filter:track by_src,count 50,seconds 1; metadata:service ssdp; reference:cve,2013-5211; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:attempted-dos; sid:45157; rev:1;)
 

 

Повідомити про інцидент