Rules
rulesptopen-attacks.rules
57.72 KBModified 2024-11-13 10:55
1alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik RouterOS unauthenticated DNS cache poisoning (CVE-2019-3978)"; flow: established, to_server, no_stream; content: "M2"; offset: 4; depth: 2; content: "|01 00 00 08|"; content: "|07 00 FF 09 03|"; content: "|03 00 00 21|"; content: "|01 00 FF 88 01 00 0E 00 00 00|"; reference: cve, 2019-3978; reference: url, medium.com/tenable-techblog/routeros-chain-to-root-f4e0b07c0b21; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005475; rev: 4;)
2
3alert http any any -> any any (msg: "ATTACK [PTsecurity] Spring Core RCE aka Spring4Shell Attempt"; flow: established; content: "pipeline.first.pattern"; nocase; content: "getRuntime"; nocase; distance: 0; content: "exec"; nocase; pcre: "/(?:%25|%)(?:%7B|{)/i"; pcre: "/(?:%7D|})i/i"; reference: url, rules.ptsecurity.com; reference: url, www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html; classtype: attempted-admin; sid: 10007107; rev: 1;)
4
5alert http any any -> any any (msg: "ATTACK [PTsecurity] vBulletin <= 5.6.9 pre-auth RCE (CVE-2023-25135)"; flow: established, to_server; http.method; content: "POST"; http.request_body; content: "googlelogin_vendor_autoload"; nocase; content: "Monolog"; distance: 0; content: "Handler"; distance: 0; content: "SyslogUdpHandler"; distance: 0; content: "Monolog"; distance: 0; content: "Handler"; distance: 0; content: "BufferHandler"; distance: 0; content: "current"; distance: 0; reference: cve, 2023-25135; reference: url, rules.ptsecurity.com; reference: url, ambionics.io/blog/vbulletin-unserializable-but-unreachable; classtype: attempted-admin; sid: 10008756; rev: 1;)
6
7alert http any any -> any any (msg: "ATTACK [PTsecurity] GitLab Arbitrary File Read (CVE-2023-2825)"; flow: established, to_server; http.uri.raw; content: "/uploads/"; nocase; content: "%2f..%2f"; nocase; distance: 0; pcre: "/\/+([a-zA-Z0-9_-]+\/+){5,}uploads\/+/I"; reference: url, rules.ptsecurity.com; reference: url, labs.watchtowr.com/gitlab-arbitrary-file-read-gitlab-cve-2023-2825-analysis; reference: cve, 2023-2825; classtype: attempted-admin; sid: 10008999; rev: 2;)
8
9alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Possible Ivanti Avalanche RCE (CVE-2023-32560)"; flow: established, to_server; content: "|00 00 00 02 00 00 00 05|"; content: "h.mid"; distance: 4; within: 5; pcre: "/^.{20}\x00\x00\x00[\x03\x65]/R"; byte_test: 4, >, 340, 4, relative; reference: url, rules.ptsecurity.com; reference: url, www.tenable.com/security/research/tra-2023-27; reference: cve, 2023-32560; classtype: attempted-admin; sid: 10010882; rev: 2;)
10
11alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Possible Ivanti Avalanche RCE (CVE-2023-32560)"; flow: established, to_server; content: "|00 00 00 02 00 00 00 05|"; content: "h.mid"; distance: 4; within: 5; content: "|00 00 00 09|"; distance: 20; within: 4; byte_test: 4, >, 149, 4, relative; reference: url, rules.ptsecurity.com; reference: url, www.tenable.com/security/research/tra-2023-27; reference: cve, 2023-32560; classtype: attempted-admin; sid: 10010958; rev: 1;)
12
13alert http any any -> any any (msg: "ATTACK [PTsecurity] Cookieless string in ASP.NET (CVE-2023-36899)"; flow: established, to_server; http.uri; content: "/("; fast_pattern; content: "))"; distance: 0; pcre: "/\/\([A-Z]\(.*?\)\).*?\)\)/"; reference: url, rules.ptsecurity.com; reference: url, soroush.me/blog/2023/08/cookieless-duodrop-iis-auth-bypass-app-pool-privesc-in-asp-net-framework-cve-2023-36899; reference: cve, 2023-36899; classtype: attempted-admin; sid: 10009357; rev: 3;)
14
15alert http any any -> any any (msg: "ATTACK [PTsecurity] Ivanti Sentry RCE attempt (CVE-2023-38035)"; flow: established, to_server; http.uri; content: "/mics/services/MICSLogService"; http.header; content: "application/x-hessian"; http.request_body; content: "uploadFileUsingFileInput"; content: "command"; distance: 0; content: "isRoot"; reference: cve, 2023-38035; reference: url, rules.ptsecurity.com; reference: url, horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/; classtype: attempted-admin; sid: 10010662; rev: 1;)
16
17alert http any any -> any any (msg: "ATTACK [PTsecurity] Fortra FileCatalyst RCE (CVE-2024-25153)"; flow: established, to_server; http.uri; content: "/servlet/ftpservlet"; nocase; content: "PUT"; nocase; distance: 0; content: "sid"; nocase; pcre: "/^[^\&]*=[^\&]*[\\\/]\.{2}[\\\/]/RU"; reference: cve, 2024-25153; reference: url, rules.ptsecurity.com; reference: url, labs.nettitude.com/blog/cve-2024-25153-remote-code-execution-in-fortra-filecatalyst/; classtype: attempted-admin; sid: 10011291; rev: 1;)
18
19alert http any any -> any any (msg: "ATTACK [PTsecurity] Veeam Backup Manager Authentication Bypass (CVE-2024-29849). XB set CVE-2024-29849.POST"; flow: established, to_server; http.uri; content: "/api/sessionMngr"; http.request_body; content: "VMwareSSOToken"; pcre: "/(?:PHNhbWwyOklzc3Vlcj|xzYW1sMjpJc3N1ZXI+|c2FtbDI6SXNzdWVyPg)/RP"; xbits: set, CVE-2024-29849.POST, track ip_src, expire 15; flowbits: noalert; reference: cve, 2024-29849; reference: url, rules.ptsecurity.com; reference: url, summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass/; classtype: attempted-admin; sid: 10011480; rev: 1;)
20
21alert http any any -> any any (msg: "ATTACK [PTsecurity] Veeam Backup Manager Authentication Bypass (CVE-2024-29849)"; flow: established, from_server; http.response_body; content: "RequestSecurityTokenResponse"; content: "urn:oasis:names:tc:SAML:2.0:assertion"; distance: 0; content: "<Code>"; distance: 0; content: "status/valid"; distance: 0; xbits: isset, CVE-2024-29849.POST, track ip_src; reference: cve, 2024-29849; reference: url, rules.ptsecurity.com; reference: url, summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass/; classtype: attempted-admin; sid: 10011481; rev: 1;)
22
23alert http any any -> any any (msg: "ATTACK [PTsecurity] Mismatch URI and Host header. Possible Squid cache poisoning"; content: "GET"; http_method; content: "://"; fast_pattern; distance: 0; http_raw_uri; pcre: "/^\w+\s+\w+:\/\/\S+\s+.*?[\r\n].*?Host:[ \t]+[\w\.:]+\b/is"; pcre: ! "/^\w+\s+\w+:\/\/([^\/\s:#]+)[\/\s:#]\S*.+?Host:[ \t]*\1\S*\b/is"; reference: url, bugs.squid-cache.org/show_bug.cgi?id=4501; reference: cve, 2016-4554; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000035; rev: 5;)
24
25alert http any any -> any any (msg: "ATTACK [PTsecurity] Magento < 2.0.6 Arbitrary write file"; content: "rest/V1/guest-carts/"; http_raw_uri; content: "set-payment-information"; http_raw_uri; fast_pattern; content: "|5C 75 30 30 30 30|"; content: "Magento\\\\Sales\\\\Model\\\\Order\\\\Payment\\\\Transaction"; reference: cve, 2016-4010; reference: url, netanelrub.in/2016/05/17/magento-unauthenticated-remote-code-execution; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000042; rev: 2;)
26
27alert http any any -> any any (msg: "ATTACK [PTsecurity] GraphicsMagick popen shell vulnerability"; flow: established,to_server; content: "<?xml"; http_client_body; content: "<svg"; http_client_body; fast_pattern; pcre: "/xlink:href\s*=\s*\x22\|/RPi"; reference: url, permalink.gmane.org/gmane.comp.security.oss.general/19669; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000044; rev: 2;)
28
29alert http any any -> any any (msg: "ATTACK [PTsecurity] GraphicsMagick popen shell vulnerability"; flow: established,to_server; content: "viewbox "; nocase; http_client_body; fast_pattern; pcre: "/image\s+copy\s+\d+\s*,\s*\d+\s+\d+\s*,\s*\d+\s*\x22\|/RPi"; reference: url, permalink.gmane.org/gmane.comp.security.oss.general/19669; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000045; rev: 2;)
30
31alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Continuum <= v1.4.2 CMD Injection"; content: "POST"; http_method; content: "/continuum/saveInstallation.action"; offset: 0; depth: 34; http_uri; content: "installation.varValue="; nocase; http_client_body; pcre: "/^[^&]*(?:\x60|%60|\x7c|%7c|\x3b|%3b|\x24\x28|%24%28|\x24\x7b|%24%7b|%0a)/iRP"; flow: to_server, established; reference: url, exploit-db.com/exploits/39886; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000048; rev: 3;)
32
33alert http any any -> any any (msg: "ATTACK [PTsecurity] FreePBX 13/14 Malicious Filename Upload attempt"; flow: to_server; content: "POST"; http_method; nocase; content: "/admin/ajax.php?"; http_uri; content: "module=recordings"; http_uri; content: "command=savebrowserrecording"; http_uri; content: "Content-Type: multipart/form-data"; nocase; http_header; pcre: "/Content-Disposition: form-data\; name=\x22filename\x22\r\n\r\n[^\r\n]*\x60[^\r\n]*\x60.*\r\n/P"; xbits: set, FreePBXMaliciousFilenameUpload, track ip_dst, expire 30; reference: exploitdb, 40232; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000082; rev: 3;)
34
35alert http any any -> any any (msg: "ATTACK [PTsecurity] FreePBX 13/14 Remote Command Execution"; flow: to_server; content: "POST"; http_method; nocase; content: "/admin/ajax.php"; http_uri; content: "Content-Type: application/x-www-form-urlencoded"; nocase; http_header; pcre: "/file=[^&]*\x60[^&]*\x60/P"; pcre: "/module=recordings/P"; xbits: isset, FreePBXMaliciousFilenameUpload, track ip_dst; reference: exploitdb, 40232; reference: url, rules.ptsecurity.com; classtype: successful-admin; sid: 10000083; rev: 3;)
36
37alert http any any -> any any (msg: "ATTACK [PTsecurity] FreePBX 13/14 Remote Command Execution attempt"; flow: to_server; content: "POST"; http_method; content: "/admin/ajax.php"; http_uri; content: "Content-Type: application/x-www-form-urlencoded"; nocase; http_header; pcre: "/file=[^&]*\x60[^&]*\x60/P"; pcre: "/module=recordings/P"; xbits: isnotset, FreePBXMaliciousFilenameUpload, track ip_dst; reference: exploitdb, 40232; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000084; rev: 3;)
38
39alert udp any any -> any 161 (msg: "ATTACK [PTsecurity] Cisco Adaptive Security Appliance 8.x SNMP overflow RCE Probe"; content: "|a035020100020100020100302a300c06082b060102010101000500300c06082b060102010103000500300c06082b060102010105000500|"; isdataat: !1, relative; reference: url, blogs.cisco.com/security/shadow-brokers; reference: cve, 2016-6366; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000098; rev: 2;)
40
41alert udp any any -> any 161 (msg: "ATTACK [PTsecurity] Cisco Adaptive Security Appliance 8.x SNMP overflow RCE Attempt"; byte_jump: 1, 6; content: "|A5|"; content: "|2B 06 01 02 01 01 01|"; distance: 0; content: "|2B 06 01 04 01 09 09 83 6B 01 03 03 01 01 05 09|"; isdataat: 30,relative; reference: url, blogs.cisco.com/security/shadow-brokers; reference: cve, 2016-6366; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000099; rev: 2;)
42
43alert tcp any any -> any any (msg: "ATTACK [PTsecurity] EpicBanana Exploitation"; content: "|50 16 60 16 b8 16 82 16 aa 16 aa 16 aa 16 35 16 aa 16 aa 16 aa 16 aa|"; depth: 24; reference: url, tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli; reference: cve, 2016-6367; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000125; rev: 1;)
44
45alert tcp any any -> any any (msg: "ATTACK [PTsecurity] MySQL <= 5.7.15, 5.6.33, 5.5.53 root RCE/Privilege Escalation attempt"; content: "|03|"; offset: 4; depth: 1; content: "736574"; distance: 0; content: "6c6f675f66696c65"; distance: 0; content: "6d79"; distance: 0; content: "2e636e66"; distance: 0; within: 14; reference: url, legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; reference: cve, 2016-6662; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000128; rev: 1;)
46
47alert tcp any any -> any any (msg: "ATTACK [PTsecurity] MySQL <= 5.7.15, 5.6.33, 5.5.53 root RCE/Privilege Escalation attempt"; content: "|03|"; offset: 4; depth: 1; content: "set"; distance: 0; content: "log_file"; distance: 0; content: "my"; distance: 0; content: ".cnf"; distance: 0; within: 7; reference: url, legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html; reference: cve, 2016-6662; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000129; rev: 1;)
48
49alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Omnivista 8770 UnAuth RCE (AddJobSet)"; flow: established, no_stream; content: "GIOP"; depth: 4; content: "SchedulerInterface"; distance: 0; content: "AddJobSet"; distance: 0; flowbits: set, Omnivista.SchedulerInterface.AddJobSet; flowbits: noalert; reference: url, blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000677; rev: 1;)
50
51alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Omnivista 8770 UnAuth RCE (AddJob)"; flow: established, no_stream; content: "GIOP"; depth: 4; byte_jump: 4,24; content: "|00 00 00 07|AddJob|00|"; within: 11; flowbits: isset, Omnivista.SchedulerInterface.AddJobSet; flowbits: set, Omnivista.SchedulerInterface.AddJob; flowbits: noalert; reference: url, blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000678; rev: 1;)
52
53alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Omnivista 8770 UnAuth RCE (ExecuteNow)"; flow: established, no_stream; content: "GIOP"; depth: 4; byte_jump: 4,24; content: "|00 00 00 0B|ExecuteNow|00|"; within: 15; flowbits: isset, Omnivista.SchedulerInterface.AddJob; reference: url, blog.malerisch.net/2016/12/alcatel-omnivista-8770-unauth-rce-giop-corba.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000679; rev: 1;)
54
55alert http any any -> any any (msg: "ATTACK [PTsecurity] Nagios Core < 4.2.2 Curl Command Injection (CVE-2016-9565) RSS Request"; flow: established, to_server; content: "/nagios/rss-"; http_uri; content: ".php"; http_uri; distance: 0; content: "User-Agent: magpie"; http_header; nocase; flowbits: set, CVE.2016-9565.RSSRequest; reference: url, legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html; reference: cve, 2016-9565; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000777; rev: 1;)
56
57alert http any any -> any any (msg: "ATTACK [PTsecurity] Nagios Core < 4.2.2 Curl Command Injection (CVE-2016-9565) Attempt"; flow: established, from_server; content: "302"; http_stat_code; content: "nagios"; http_header; flowbits: isset, CVE.2016-9565.RSSRequest; reference: url, legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html; reference: cve, 2016-9565; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000778; rev: 1;)
58
59alert http any any -> any any (msg: "ATTACK [PTsecurity] Nagios Core < 4.2.2 Curl Command Injection (CVE-2016-9565) Remote Script Execution"; flow: established, from_server; content: "302"; http_stat_code; content: "--trace-ascii"; http_header; content: " -F"; http_header; pcre: "/Location\:(?:.*?\s+-F\S+\s+){2}/Hi"; flowbits: isset, CVE.2016-9565.RSSRequest; reference: url, legalhackers.com/advisories/Nagios-Exploit-Command-Injection-CVE-2016-9565-2008-4796.html; reference: cve, 2016-9565; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000779; rev: 1;)
60
61alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Struts < 2.3.32 < 2.5.10.1 RCE through Jakarta Multipart parser Attempt"; flow: established, to_server; content: "%{"; fast_pattern; http_header; content: "multipart/form-data"; http_header; content: "#_memberAccess"; http_header; content: "@java"; http_header; reference: cve, 2017-5638; reference: url, paper.seebug.org/241/; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001065; rev: 3;)
62
63alert http any any -> any any (msg: "ATTACK [PTsecurity] MS IIS 6.0 BO RCE (CVE-2017-7269)"; flow: to_server, established; content: "PROPFIND"; http_method; content: "If: <"; http_header; nocase; pcre: "/^If: <[^\r\n>]+[\x7F-\xFF]/Hmi"; reference: url, www.helpnetsecurity.com/2017/03/30/cve-2017-7269/; reference: cve, 2017-7269; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001195; rev: 2;)
64
65alert http any any -> any any (msg: "ATTACK [PTsecurity] Safari 10.0.3 UAF RCE (CVE-2017-2491)"; flow: established, from_server; file_data; content: "RegExp"; content: ".repeat"; within: 25; content: ".repeat"; within: 50; content: ".repeat"; within: 50; content: "ArrayBuffer"; within: 100; content: "Uint8Array"; within: 50; content: "Float64Array"; within: 50; content: "jsCellHeader"; distance: 0; content: "butterfly"; distance: 0; reference: cve, 2017-2491; reference: url, github.com/phoenhex/files/blob/master/exploits/cachedcall-uaf.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001322; rev: 2;)
66
67alert http any any -> any any (msg: "ATTACK [PTsecurity] Safari 10.0.3 UAF RCE (CVE-2017-2491)"; flow: established, from_server; file_data; content: "0x40000"; content: "0x1000"; content: "0x10000000"; content: "0x7ffff000"; content: "0x80"; content: "0x81"; content: "0x50"; reference: cve, 2017-2491; reference: url, github.com/phoenhex/files/blob/master/exploits/cachedcall-uaf.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001326; rev: 1;)
68
69alert smb any any -> any any (msg: "ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow: to_server, established, no_stream; content: "|ff 53 4d 42 a2|"; offset: 4; depth: 5; byte_extract: 2, 85, name_length, little; content: "|2f|"; within: name_length; pcre: "/(?:\.\x00s\x00o\x00|\.so\x00)(?:$|[^b])/Ri"; threshold: type limit, track by_src, count 1, seconds 30; reference: cve, 2017-7494; reference: url, www.samba.org/samba/security/CVE-2017-7494.html; reference: url, thehackernews.com/2017/05/samba-rce-exploit.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001356; rev: 8;)
70
71alert smb any any -> any any (msg: "ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; fast_pattern; byte_extract: 2, 114, name_length, little; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|2f|"; within: name_length; pcre: "/(?:\.\x00s\x00o\x00|\.so\x00)(?:$|[^b])/Ri"; threshold: type limit, track by_src, count 1, seconds 30; reference: cve, 2017-7494; reference: url, www.samba.org/samba/security/CVE-2017-7494.html; reference: url, thehackernews.com/2017/05/samba-rce-exploit.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001357; rev: 9;)
72
73alert smb any any -> any any (msg: "ATTACK [PTsecurity] Samba RCE exploitation attempt (SambaCry)"; flow: to_server, established, no_stream; content: "|ff 53 4d 42 2d|"; offset: 4; depth: 5; byte_extract: 2, 67, name_length, little; content: "|2f|"; distance: 2; within: name_length; content: !"|04|"; distance: 0; within: 1; reference: cve, 2017-7494; reference: url, www.samba.org/samba/security/CVE-2017-7494.html; reference: url, thehackernews.com/2017/05/samba-rce-exploit.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001438; rev: 1;)
74
75alert smb any any -> any any (msg: "ATTACK [PTsecurity] Petya ransomware perfc component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; distance: 8; within: 2; content: "W|00|i|00|n|00|d|00|o|00|w|00|s|00 5c 00|p|00|e|00|r|00|f|00|c|00|"; nocase; distance: 106; within: 36; reference: url, rules.ptsecurity.com; reference: url, www.ptsecurity.com/ru-ru/about/news/vse-chto-vy-hoteli-uznat-o-notpetya-no-boyalis-sprosit/; classtype: successful-admin; sid: 10001443; rev: 3;)
76
77alert http any any -> any any (msg: "ATTACK [PTsecurity] SVN/Git Remote Code Execution through malicious (svn+,git+)ssh:// URL (Multiple CVEs)"; flow: established, from_server; content: "30"; http_stat_code; depth: 2; content: "Location:"; http_header; nocase; content: "ssh://"; nocase; http_header; distance: 0; pcre: "/ssh:\/\/(?:[^@\s]+@)?(?:[\w\:\.\-\[\]\@]+[^\w\:\.\-\[\]\@\/\ ]|[^\w\:\.\-\[\]\@\/\ ][\w\:\.\-\[\]\@])/Hi"; reference: cve, 2017-9800; reference: cve, 2017-12426; reference: cve, 2017-1000116; reference: cve, 2017-1000117; reference: url, subversion.apache.org/security/CVE-2017-9800-advisory.txt; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001763; rev: 2;)
78
79alert tcp any 5672 -> any any (msg: "ATTACK [PTsecurity] Spring AMQP <1.7.4, 1.6.11, 1.5.7 Java Object Deserialization RCE (CVE--2017-8045)"; flow: established, no_stream; content: "application/x-java-serialized-object"; nocase; content: "|03|"; distance: 1; within: 1; content: "java."; distance: 0; pcre: "/application/x-java-serialized-object.{0,110}(?:org\.(?:apache\.|springframework\.|jboss\.|hibernate\.)|java(?:x\.management\.|\.rmi\.)|com\.sun\.|sun\.reflect\.)/"; reference: cve, 2017-8045; reference: url, pivotal.io/security/cve-2017-8045; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002274; rev: 1;)
80
81alert smtp any any -> any any (msg: "ATTACK [PTsecurity] Exim 4.88, 4.89 UAF RCE Attempt (CVE-2017-16943)"; flow: established, to_server; content: "BDAT"; content: "BDAT"; within: 10; pcre: "/BDAT\s*\D[^\n\r]*[\n\r][^\n\r]{100}/"; reference: cve, 2017-16943; reference: url, bugs.exim.org/show_bug.cgi?id=2199; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002280; rev: 2;)
82
83alert http any any -> any any (msg: "ATTACK [PTsecurity] SAP NetWeaver AS Java UDDI 7.11-7.50 SQL Injection (CVE-2016-2386)"; flow: established, to_server; content: "POST"; http_method; content: "/UDDISecurityService/UDDISecurityImplBean"; http_uri; fast_pattern; content: "permissionId"; http_client_body; content: "|27|"; http_client_body; distance: 0; pcre: "/permissionId\s*>[^<]+?\x27/Pi"; reference: cve, 2016-2386; reference: url, github.com/vah13/SAP_exploit; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002408; rev: 1;)
84
85alert http any any -> any any (msg: "ATTACK [PTsecurity] GitStack Arbitrary PHP upload RCE (CVE-2018-5955)"; flow: established, to_server; content: "/web/index.php?"; http_uri; content: ".git"; distance: 0; http_uri; content: "Authorization:"; http_header; nocase; content: "Basic"; distance: 0; http_header; nocase; pcre: "/Basic\s+/i"; base64_decode: offset 0, relative; base64_data; pcre: "/&\s/"; reference: url, blogs.securiteam.com/index.php/archives/3557; reference: cve, 2018-5955; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002449; rev: 4;)
86
87alert http any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik Router OS 6.38.4 Stack Clash RCE"; flow: established, to_server; content: "POST"; http_method; content: "/jsproxy"; http_uri; fast_pattern; content: "Content-Length: "; http_header; content: !"|0D|"; within: 5; http_header; xbits: set, RouterOS.StackClash.POST2, track ip_src, expire 10; flowbits: noalert; reference: url, github.com/BigNerd95/Chimay-Red/blob/master/StackClashMIPS.py; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002456; rev: 1;)
88
89alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik Router OS 6.38.4 Stack Clash RCE"; flow: established, to_server, no_stream; content: "|24 50 00 00 26 04 00 40 AE 04 FF F0 26 11 00 50 AE 11 FF F4 26 11 00 60 AE 11 FF F8 22 05 FF F0 22 06 FF FC 24 02 0F AB 00 00 00 0C|"; content: "/bin"; within: 30; xbits: isset, RouterOS.StackClash.POST2, track ip_src; reference: url, github.com/BigNerd95/Chimay-Red/blob/master/StackClashMIPS.py; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002457; rev: 1;)
90
91alert http any any -> any any (msg: "ATTACK [PTsecurity] Possible Mikrotik Router OS 6.38.4 Stack Clash RCE"; flow: established, to_server; content: "POST"; http_method; content: "/jsproxy"; http_uri; fast_pattern; content: "Content-Length: "; http_header; content: !"|0D|"; within: 6; http_header; byte_test: 0, =, 167936, 0, relative, string; reference: url, github.com/BigNerd95/Chimay-Red/blob/master/StackClash_x86.py; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002459; rev: 7;)
92
93alert icmp any any -> any any (msg: "ATTACK [PTsecurity] Dnsmasq <2.78 Heap Based Buffer Overflow (CVE-2017-14492)"; itype: 133; icode: 0; content: "|01|"; offset: 4; depth: 1; byte_test: 1, >, 150, 0, relative; isdataat: 1500, relative; reference: cve, 2017-14492; reference: url, security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002469; rev: 2;)
94
95alert udp any any -> any 547 (msg: "ATTACK [PTsecurity] Possible Dnsmasq <2.78 DHCPv6 Link Layer Address Stack Overflow (CVE-2017-14493)"; flow: no_stream; content: "|0C|"; depth: 1; content: "|00 4F|"; distance: 33; within: 2; byte_test: 2, >, 16, 0, relative, big; isdataat: 18,relative; reference: cve, 2017-14493; reference: url, security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002473; rev: 1;)
96
97alert udp any any -> any 547 (msg: "ATTACK [PTsecurity] Possible Dnsmasq <2.78 DHCPv6 Sensitive info leak (CVE-2017-14494)"; flow: no_stream; content: "|0C|"; depth: 1; content: "|00 09|"; distance: 33; within: 2; content: "|00 01|"; distance: 24; within: 2; byte_test: 2, >, 2, 0, relative, big; isdataat: !3,relative; reference: cve, 2017-14494; reference: url, security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002475; rev: 1;)
98
99alert http any any -> any any (msg: "ATTACK [PTsecurity] GitHub Electron <1.8.2-beta.4, <1.7.11, <1.6.16 protocol handler RCE (CVE-2018-1000006)"; flow: established, from_server; content: "://"; content: "--gpu-launcher="; nocase; pcre: "/(powershell|cmd|python|bash|\.exe)/i"; reference: cve, 2018-1000006; reference: url, electronjs.org/blog/protocol-handler-fix; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002500; rev: 2;)
100
101alert http any any -> any any (msg: "ATTACK [PTsecurity] GitHub Electron <1.8.2-beta.4, <1.7.11, <1.6.16 protocol handler RCE (CVE-2018-1000006)"; flow: established, from_server; content: "://"; content: "-cmd-prefix="; nocase; pcre: "/(powershell|cmd|python|bash|\.exe)/i"; reference: cve, 2018-1000006; reference: url, electronjs.org/blog/protocol-handler-fix; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002501; rev: 3;)
102
103alert tcp any any -> any 139 (msg: "ATTACK [PTsecurity] Mikrotik <6.41.3 <6.42rc27 RCE Attempt (CVE-2018-7445)"; flow: established, to_server, no_stream; stream_size: client, <, 200; content: "|81 00|"; depth: 2; fast_pattern; byte_test: 1, >, 0x20, 2, relative; content: "|00 00 00|"; distance: 0; reference: cve, 2018-7445; reference: url, www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002680; rev: 2;)
104
105alert tcp any any -> any 139 (msg: "ATTACK [PTsecurity] ShellCode Upload Mikrotik <6.41.3 <6.42rc27 RCE (CVE-2018-7445)"; flow: established, to_server, only_stream; content: "|00 00 eb 02 00 00 eb 02|"; depth: 8; pcre: "/(?:\x00\x00\xeb\x02){10}/R"; reference: cve, 2018-7445; reference: url, www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002681; rev: 1;)
106
107alert tcp any 139 -> any any (msg: "ATTACK [PTsecurity] Successful Mikrotik <6.41.3 <6.42rc27 RCE (CVE-2018-7445)"; flow: established, from_server, no_stream; content: "sh: "; depth: 4; reference: cve, 2018-7445; reference: url, www.coresecurity.com/advisories/mikrotik-routeros-smb-buffer-overflow; reference: url, rules.ptsecurity.com; classtype: successful-admin; sid: 10002682; rev: 1;)
108
109alert tcp any any -> any 4786 (msg: "ATTACK [PTsecurity] Cisco Smart Install 15.2(5)E RCE (CVE-2018-0171)"; flow: established, to_server, no_stream; content: "|00 00 00 01 00 00 00 07|"; offset: 4; depth: 8; content: "|00 00 00 01|"; distance: 4; within: 4; isdataat: 210, relative; reference: cve, 2018-0171; reference: url, embedi.com/blog/cisco-smart-install-remote-code-execution; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002774; rev: 1;)
110
111alert http any any -> any any (msg: "ATTACK [PTsecurity] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE through registration form (CVE-2018-7600)"; flow: established, to_server; content: "/user/register"; http_uri; content: "POST"; http_method; content: "drupal"; http_client_body; pcre: "/(%23|#)(access(?:_|%5f)callback|pre(?:_|%5f)render|post(?:_|%5f)render|lazy(?:_|%5f)builder)/Pi"; reference: cve, 2018-7600; reference: url, research.checkpoint.com/uncovering-drupalgeddon-2; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002808; rev: 3;)
112
113alert http any any -> any any (msg: "ATTACK [PTsecurity] Drupalgeddon2 <7.5.9 <8.4.8 <8.5.3 RCE (CVE-2018-7602)"; flow: established, to_server; content: "markup"; http_uri; pcre: "/(%2523|%23|#)markup/U"; pcre: "/(%2523|%23|#)type/U"; reference: cve, 2018-7602; reference: url, www.bleepingcomputer.com/news/security/hackers-dont-give-site-owners-time-to-patch-start-exploiting-new-drupal-flaw-within-hours/; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002866; rev: 1;)
114
115alert tcp any 3389 -> any any (msg: "ATTACK [PTsecurity] MS RDP CredSSP Remote Code Execution MitM (CVE-2018-0886)"; flow: established, from_server, only_stream; content: "|16 03|"; content: "|0B|"; distance: 3; within: 1; content: "|06 09 2a 86 48 86 f7 0d 01 01 01|"; distance: 0; content: "D|00|i|00|s|00|a|00|l|00|l|00|o|00|w|00|S|00|t|00|a|00|r|00|t|00|I|00|f|00|O|00|n|00|B|00|a|00|t|00|t|00|e|00|r|00|i|00|e|00|s|00|"; nocase; distance: 0; content: "E|00|x|00|e|00|c|00|"; nocase; distance: 0; content: "C|00|o|00|m|00|m|00|a|00|n|00|d|00|"; nocase; distance: 0; reference: cve, 2018-0886; reference: url, blog.preempt.com/how-we-exploited-the-authentication-in-ms-rdp; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002831; rev: 1;)
116
117alert udp any 67 -> any 68 (msg: "ATTACK [PTsecurity] DHCP Client Script WPAD option Exploit (CVE-2018-1111)"; content: "|63 82 53 63|"; fast_pattern; content: "|FC|"; distance: 0; byte_extract: 1, 0, length, relative; content: "'"; within: length; pcre: "/^[\x20-\x7E]+(sh|nc|wget|curl|echo|cat|id|uname)/Ri"; reference: cve, 2018-1111; reference: url, dynoroot.ninja; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10002975; rev: 1;)
118
119alert http any any -> any any (msg: "ATTACK [PTsecurity] Modx Revolution CMS < 2.6.4 RCE by PoC (CVE-2018-1000207)"; flow: established, to_server; content: "POST"; http_method; content: "/connectors/system/phpthumb.php"; http_uri; content: "IMresizedData"; nocase; http_client_body; content: "cache_filename"; nocase; http_client_body; reference: cve, 2018-1000207; reference: url, rudnkh.me/posts/critical-vulnerability-in-modx-revolution-2-6-4; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003350; rev: 1;)
120
121alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Portals Pluto 3.0.0 RCE (CVE-2018-1306)"; flow: established, to_server; content: "HEAD"; http_method; content: "/pluto/portal/File Upload"; http_uri; depth: 25; content: "<%"; http_client_body; content: ".jsp"; http_client_body; reference: cve, 2018-1306; reference: url, packetstormsecurity.com/files/149366/apacheportalspluto300-exec.txt; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003786; rev: 1;)
122
123alert udp any any -> any any (msg: "ATTACK [PTsecurity] Cisco Prime Infrastructure < 3.4.1 & 3.3.1 TFTP RCE (CVE-2018-15379)"; flow: established, from_server; content: "|00 03 00 01|"; depth: 4; content: "<%@"; flowbits: set, CVE.2018-15379.JSP1; flowbits: noalert; reference: cve, 2018-15379; reference: url, seclists.org/fulldisclosure/2018/Oct/19; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003907; rev: 1;)
124
125alert udp any any -> any any (msg: "ATTACK [PTsecurity] Cisco Prime Infrastructure < 3.4.1 & 3.3.1 TFTP RCE (CVE-2018-15379)"; flow: established, from_server; content: "|00 03 00|"; depth: 3; content: "/CSCOlumos/"; content: "runrshell"; distance: 0; flowbits: isset, CVE.2018-15379.JSP1; reference: cve, 2018-15379; reference: url, seclists.org/fulldisclosure/2018/Oct/19; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003908; rev: 1;)
126
127alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Mikrotik <6.42 Password disclosure path traversal (CVE-2018-14847)"; flow: established, to_server; content: "|01 00|"; offset: 1; depth: 2; content: "M2"; distance: 1; within: 2; content: "/../"; distance: 0; content: "/flash/rw/store/user.dat"; distance: 0; content: "|02 00 00 00 02 00 00 00|"; distance: 0; reference: cve, 2018-14847; reference: url, github.com/tenable/routeros/tree/master/poc/bytheway; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003917; rev: 1;)
128
129alert http any any -> any any (msg: "ATTACK [PTsecurity] MS Edge WScript Command Injection RCE (CVE-2018-8495)"; flow: established, from_server; content: "wshfile:"; nocase; http_server_body; fast_pattern; content: ".."; distance: 0; http_server_body; content: ".vbs"; distance: 0; nocase; http_server_body; pcre: "/wshfile:[^\x22\x27\s]+(\\|\/)\.\.(\\|\/)[^\x22\x27\s]+\.vbs/Qi"; reference: cve, 2018-8495; reference: url, leucosite.com/Microsoft-Edge-RCE; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003930; rev: 2;)
130
131alert tcp any any -> any 445 (msg: "ATTACK [PTsecurity] Webexservice Service Probe (CVE-2018-15442)"; flow: established, to_server, no_stream; content: "SMB"; depth: 8; content: "|05 00 00|"; distance: 0; content: "|10 00|"; distance: 19; within: 3; content: "w|00|e|00|b|00|e|00|x|00|s|00|e|00|r|00|v|00|i|00|c|00|e|000000|"; nocase; distance: 0; flowbits: set, CVE.2018-15442.Probe; reference: url, webexec.org; reference: cve, 2018-15442; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003982; rev: 1;)
132
133alert tcp any any -> any 445 (msg: "ATTACK [PTsecurity] Webexservice remote privileged command execution (CVE-2018-15442)"; flow: established, to_server, no_stream; content: "SMB"; depth: 8; content: "|05 00 00|"; distance: 0; content: "|13 00|"; distance: 19; within: 3; content: "s|00|o|00|f|00|t|00|w|00|a|00|r|00|e|00|-|00|u|00|p|00|d|00|a|00|t|00|e|00|"; nocase; distance: 0; flowbits: isset, CVE.2018-15442.Probe; reference: url, webexec.org; reference: cve, 2018-15442; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003983; rev: 3;)
134
135alert http any any -> any any (msg: "ATTACK [PTsecurity] Kibana < 6.4.3 <5.6.13 Arbitrary File Inclusion/Disclosure/RCE attempt (CVE-2018-17245)"; flow: established, to_server; content: "/api/console/api_server"; http_uri; content: "SENSE_VERSION"; nocase; http_uri; distance: 0; pcre: "/apis\s*=\s*[^&]*(?:(?:%2e|\.)(?:%2e|\.)(?:%5c|%2f|\/|\\))/Ui"; reference: cve, 2018-17245; reference: url, www.cyberark.com/threat-research-blog/execute-this-i-know-you-have-it; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004231; rev: 1;)
136
137alert http any any -> any any (msg: "ATTACK [PTsecurity] MS Exchange 2010-2019 Possible privilege escalation (CVE-2018-8581)"; flow: established, to_server; content: "POST"; http_method; content: "SOAPAction"; http_header; content: "Authorization: NTLM"; http_header; content: "m:SendNotificationResponseMessage"; http_client_body; reference: url, dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/; reference: cve, 2018-8581; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004420; rev: 1;)
138
139alert http any any -> any any (msg: "ATTACK [PTsecurity] Raisecom GPON RCE via command injection (CVE-2019-7385)"; flow: established, to_server; content: "POST"; http_method; content: "/boaform/formPasswordSetup"; http_uri; content: "confpass"; http_client_body; pcre: "/(newpass|confpass)\s*=\s*\x60/P"; reference: cve, 2019-7385; reference: url, s3curityb3ast.github.io/KSA-Dev-006.md; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004526; rev: 1;)
140
141alert http any any -> any any (msg: "ATTACK [PTsecurity] Raisecom GPON RCE via command injection (CVE-2019-7384)"; flow: established, to_server; content: "POST"; http_method; content: "/boaform/admin/formgponConf"; http_uri; content: "fmgpon_loid"; http_client_body; pcre: "/fmgpon_loid\s*=\s*(\x7c|%7c)/P"; reference: cve, 2019-7384; reference: url, s3curityb3ast.github.io/KSA-Dev-005.md; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004527; rev: 1;)
142
143alert http any any -> any any (msg: "ATTACK [PTsecurity] Jenkins sandbox bypassing RCE (CVE-2019-1003000/1/2)"; flow: established, to_server; content: "POST"; http_method; nocase; content: "/job/"; http_uri; depth: 5; content: "/config.xml"; http_uri; content: "script"; http_client_body; pcre: "/<\s*script\s*>.*?@(Grab|ASTTest)/Ps"; reference: url, github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc; reference: cve, 2019-1003000; reference: cve, 2019-1003001; reference: cve, 2019-1003002; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004529; rev: 2;)
144
145alert tcp any any -> any 8291 (msg: "ATTACK [PTsecurity] MikroTik Firewall & NAT Bypass (CVE-2019-3924)"; flow: established, no_stream, to_server; content: "|01 00|"; depth: 4; content: "M2"; depth: 8; content: "|68 00 00 00|"; isdataat: !1, relative; content: "|07 00 FF 09 01|"; content: "|03 00 00 08|"; content: "|04 00 00 09|"; content: "|07 00 00 21|"; content: "|08 00 00 21|"; reference: cve, 2019-3924; reference: url, www.tenable.com/security/research/tra-2019-07; reference: url, github.com/tenable/routeros/blob/master/poc/cve_2019_3924; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004547; rev: 1;)
146
147alert http any any -> any any (msg: "ATTACK [PTsecurity] Arbitrary PHP RCE in Drupal 8 < 8.5.11,8.6.10 (CVE-2019-6340)"; flow: established, to_server; content: "GET"; http_method; content: "hal_json"; http_uri; content: "link"; http_client_body; content: "options"; distance: 0; content: "O:"; distance: 0; http_client_body; pcre: "/\x22options\x22\s*:\s*\x22O:\d+:/P"; reference: cve, 2019-6340; reference: url, www.ambionics.io/blog/drupal8-rce; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004555; rev: 3;)
148
149alert http any any -> any any (msg: "ATTACK [PTsecurity] PHPMyAdmin web shell planting with log redirection"; flow: established, to_server; content: "POST"; http_method; content: "import.php"; http_uri; content: "application/x-www-form-urlencoded"; http_header; content: "general_log_file"; http_client_body; fast_pattern; content: ".php"; http_client_body; distance: 0; pcre: "/general_log_file[^&]+\.php(\x22|\x27|\s|%27|%22|%20)/P"; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004566; rev: 1;)
150
151alert http any any -> any any (msg: "ATTACK [PTsecurity] Possible Apache Axis RCE via SSRF (CVE-2019-0227)"; flow: established, to_client; content: "30"; http_stat_code; content: "Location:"; http_header; content: "method"; distance: 0; http_header; pcre: "/(!|%21)(-|%2D|)+(>|%3E)/RHi"; content: "deployment"; distance: 0; http_header; reference: cve, 2019-0227; reference: url, rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004698; rev: 1;)
152
153alert http any any -> any any (msg: "ATTACK [PTsecurity] Confluence <6.14.2,6.13.3,6.12.3 Unauthorized RCE (CVE-2019-3396)"; flow: established, to_server; content: "/rest/tinymce/"; http_uri; content: "/macro/preview"; http_uri; distance: 0; content: "contentId"; http_client_body; content: "_template"; http_client_body; content: "url"; http_client_body; reference: url, paper.seebug.org/886; reference: cve, 2019-3396; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004699; rev: 1;)
154
155alert http any any -> any any (msg: "ATTACK [PTsecurity] Oracle Weblogic file upload RCE (CVE-2019-2618)"; flow: established, to_server; content: "POST"; nocase; http_method; content: "/bea_wls_deployment_internal/DeploymentService"; http_uri; content: "app_upload"; http_header; content: "_WL_internal"; http_header; content: "bea_wls_"; http_header; distance: 0; reference: cve, 2019-2618; reference: url, github.com/jas502n/cve-2019-2618/blob/master/cve-2019-2618.py; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004781; rev: 2;)
156
157alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #1)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; fast_pattern; content: "|17 03 01|"; distance: 32; within: 3; byte_test: 2, >, 450, 0, relative, big; flowbits: set, BlueKeep.pkt1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004861; rev: 5;)
158
159alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #1)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01|"; depth: 3; byte_test: 2, >, 450, 0, relative, big; flowbits: set, BlueKeep.pkt1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005396; rev: 2;)
160
161alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #2)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 00 30|"; distance: 32; within: 5; fast_pattern; flowbits: isset, BlueKeep.pkt1; flowbits: set, BlueKeep.pkt2; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004862; rev: 5;)
162
163alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #2)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 30|"; depth: 5; fast_pattern; flowbits: isset, BlueKeep.pkt1; flowbits: set, BlueKeep.pkt2; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005397; rev: 2;)
164
165alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #3)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 00 20|"; distance: 32; within: 5; fast_pattern; flowbits: isset, BlueKeep.pkt2; flowbits: set, BlueKeep.pkt3; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004863; rev: 5;)
166
167alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #3)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; flowbits: isset, BlueKeep.pkt2; flowbits: set, BlueKeep.pkt3; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005398; rev: 2;)
168
169alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (MCS Channel Join Requests)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 00 30|"; distance: 32; within: 5; fast_pattern; flowbits: isset, BlueKeep.pkt3; flowint: JoinReq, +, 1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004864; rev: 5;)
170
171alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (MCS Channel Join Requests)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 30|"; depth: 5; flowbits: isset, BlueKeep.pkt3; flowint: JoinReq, +, 1; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005399; rev: 2;)
172
173alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #12)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 00 20|"; depth: 5; content: "|17 03 01 01 80|"; distance: 32; within: 5; flowint: JoinReq, >=, 7; flowbits: set, BlueKeep.pkt12; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004865; rev: 8;)
174
175alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708 (pkt #12)"; flow: established, to_server; app-layer-protocol: !tls; content: "|17 03 01 01 80|"; depth: 5; flowint: JoinReq, >=, 7; flowbits: set, BlueKeep.pkt12; flowbits: noalert; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005400; rev: 2;)
176
177alert tcp any any -> any !443 (msg: "ATTACK [PTsecurity] Possible Bluekeep RDP exploit CVE-2019-0708"; flow: established, from_server; app-layer-protocol: !tls; stream_size: client, <, 3500; stream_size: server, <, 3000; content: "|17 03 01 01 d0|"; depth: 5; flowbits: isset, BlueKeep.pkt12; flowbits: set, BlueKeep.pkt13; reference: cve, 2019-0708; reference: url, github.com/Ekultek/BlueKeep; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004867; rev: 6;)
178
179alert tcp any any -> any any (msg: "ATTACK [PTsecurity] Redis Master-Slave replication RCE successful"; flow: established, to_client; content: "FULLRESYNC"; nocase; depth: 20; content: "|7F|ELF"; within: 70; reference: url, paper.seebug.org/977; reference: url, rules.ptsecurity.com; classtype: successful-admin; sid: 10005212; rev: 2;)
180
181alert http any any -> any any (msg: "ATTACK [PTsecurity] vBulletin 5.x pre-auth RCE"; flow: established, to_server; content: "POST"; http_method; content: "routestring"; http_client_body; content: "widget_php"; within: 30; http_client_body; pcre: "/ajax.{1,6}render.{1,6}widget_php/P"; pcre: "/widgetConfig.{1,6}code/P"; reference: url, seclists.org/fulldisclosure/2019/Sep/31; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005417; rev: 3;)
182
183alert http any any -> any any (msg: "ATTACK [PTsecurity] rConfig ajaxServerSettingsChk.php unauth RCE (CVE-2019-16662)"; flow: established, to_server; content: "ajaxserversettingschk.php"; http_uri; nocase; pcre: "/(?:\x3b|\x26|\x7C|%3b|%7c|%26)/iRU"; reference: url, shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662; reference: cve, 2019-16662; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005501; rev: 5;)
184
185alert http any any -> any any (msg: "ATTACK [PTsecurity] rConfig search.crud.php unauth RCE (CVE-2019-16663)"; flow: established, to_server; content: "search.crud.php"; http_uri; nocase; pcre: "/(?:\x3b|\x26|\x7C|%3b|%7c|%26)/iRU"; reference: url, shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662; reference: cve, 2019-16663; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005502; rev: 5;)
186
187alert smb any any -> any any (msg: "ATTACK [PTsecurity] CoronaBlue/SMBGhost DOS/RCE Attempt (CVE-2020-0796)"; flow: established; stream_size: both, <, 1000; content: "|FC|SMB"; depth: 8; byte_test: 4, >, 0x800134, 8, relative, little; reference: url, www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796; reference: cve, 2020-0796; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005777; rev: 6;)
188
189alert smb any any -> any any (msg: "ATTACK [PTsecurity] CoronaBlue/SMBGhost DOS/RCE Attempt (CVE-2020-0796)"; flow: established; content: "|FC|SMB"; depth: 8; byte_test: 4, >, 0x800134, 0, relative, little; reference: url, www.mcafee.com/blogs/other-blogs/mcafee-labs/smbghost-analysis-of-cve-2020-0796; reference: cve, 2020-0796; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005778; rev: 5;)
190
191alert tcp any 53 -> any any (msg: "ATTACK [PTsecurity] Windows Server DNS RCE aka SIGRed (CVE-2020-1350) - Query response"; flow: established, from_server; content: "|FF|"; depth: 1; content: "|00 00 18 00 01 C0|"; within: 100; content: "|00 18 00 01|"; distance: 1; within: 4; content: "|FF|"; distance: 4; within: 1; reference: url, research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers; reference: cve, 2020-1350; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005977; rev: 2;)
192
193alert http any any -> any any (msg: "ATTACK [PTsecurity] Oracle Weblogic unauth RCE (CVE-2020-14882)"; flow: established, to_server; content: "%252E%252E"; http_raw_uri; content: "console.portal"; http_uri; content: "tangosol"; content: "coherence"; distance: 0; content: "ShellSession"; distance: 0; reference: url, twitter.com/jas502n/status/1321416053050667009; reference: url, testbnull.medium.com/weblogic-rce-by-only-one-get-request-cve-2020-14882-analysis-6e4b09981dbf; reference: cve, 2020-14882; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006254; rev: 1;)
194
195alert http any any -> any any (msg: "ATTACK [PTsecurity] Likely Apache HTTP Server 2.4.49 Directory Traversal (CVE-2021-41773)"; flow: established, to_server; content: "%2e/"; nocase; http_raw_uri; pcre: "/\/(\.|%2e)%2e\//Ii"; threshold: type limit, track by_src, count 1, seconds 60; reference: cve, 2021-41773; reference: url, twitter.com/lofi42/status/1445382059640434695; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006811; rev: 2;)
196
197alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache HTTP Server 2.4.49 RCE attempt (CVE-2021-41773)"; flow: established, to_server; content: "%2e/"; nocase; http_raw_uri; content: "sh"; distance: 0; nocase; http_raw_uri; pcre: "/\/(\.|%2e)%2e\//Ii"; content: "POST"; nocase; http_method; reference: cve, 2021-41773; reference: url, twitter.com/lofi42/status/1445382059640434695; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006813; rev: 1;)
198
199alert http any any -> any any (msg: "ATTACK [PTsecurity] log4j RCE aka Log4Shell HTTP URI URL-encoded attempt (CVE-2021-44228)"; flow: established; content: "${"; http_uri; content: "j"; http_uri; distance: 0; nocase; content: "n"; http_uri; distance: 0; nocase; content: "d"; http_uri; distance: 0; nocase; content: "i"; http_uri; distance: 0; nocase; content: ":"; http_uri; distance: 0; nocase; pcre: "/\${(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*j\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*n\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*d\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*i\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*:\'*}*(?:(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*l\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*d\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*a\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*p\'*}*|(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*d\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*n\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*s\'*}*|(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*r\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*m\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*i\'*}*|(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*i\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*i\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*o\'*}*(?:\${date:}|\${date:\'|\${upper:|\${lower:|\${env:[^:]*:-\}?|\${.*?:-)*}*p\'*}*)/Ui"; reference: cve, 2021-44228; reference: url, www.lunasec.io/docs/blog/log4j-zero-day; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10006897; rev: 7;)
200
201alert http any any -> any any (msg: "ATTACK [PTsecurity] Zabbix v5.4.x SSO/SALM Auth Bypass RCE (CVE-2022-23131)"; flow: established, to_server; content: "/index_sso.php"; http_uri; content: "zbx_session="; http_cookie; base64_decode: relative; base64_data; content: "saml_data"; content: "username_attribute"; distance: 0; pcre: "/^\{(?:(?!.*sessionid)|(?!.*sign)|(?!.*session_index)).+$/"; reference: url, blog.sonarsource.com/zabbix-case-study-of-unsafe-session-storage; reference: cve, 2022-23131; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10007101; rev: 4;)
202
203#alert tcp any any -> any 445 (msg: "ATTACK [PTsecurity] LSASS Remote Memory Corruption Attempt (MS16-137)"; flow: established, no_stream; content: "|FF|SMB|73 00 00 00 00|"; offset: 4; depth: 9; content: "|FF 00|"; offset: 37; depth: 2; content: "|01 00 00 00 00 00|"; offset: 45; depth: 6; content: "|00 00 00 00 D4 00 00 A0|"; distance: 2; within: 8; content: "|A1 84|"; distance: 2; within: 2; byte_test: 1,!=,0xD1,0,relative; flowbits: set, CVE.2016-7237.Attempt; xbits: set,CVE.2016-7237.Attempt,track ip_dst,expire 15; reference: cve, 2016-7237; reference: url, g-laurent.blogspot.ru/2016/11/ms16-137-lsass-remote-memory-corruption.html; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000532; rev: 2;)
204
205#alert tcp any 445 -> any any (msg: "ATTACK [PTsecurity] LSASS Remote Memory Corruption Successful LSASS Inf. loop (MS16-137)"; flow: established, no_stream; content: "|FF|SMB|73 05 02 00 C0|"; offset: 4; depth: 9; flowbits: isset, CVE.2016-7237.Attempt; reference: cve, 2016-7237; reference: url, g-laurent.blogspot.ru/2016/11/ms16-137-lsass-remote-memory-corruption.html; reference: url, rules.ptsecurity.com; classtype: successful-dos; sid: 10000533; rev: 2;)
206
207#alert tcp any 445 -> any any (msg: "ATTACK [PTsecurity] LSASS Remote Memory Corruption Successful LSASS crashed (MS16-137)"; flow: established, no_stream; content: "|FF|SMB|72 01|"; offset: 4; depth: 6; xbits: isset,CVE.2016-7237.Attempt,track ip_src; reference: cve, 2016-7237; reference: url, g-laurent.blogspot.ru/2016/11/ms16-137-lsass-remote-memory-corruption.html; reference: url, rules.ptsecurity.com; classtype: successful-dos; sid: 10000545; rev: 1;)
208
209alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] iOS 10.1.x Remote memory corruption through certificate file Attempt"; flow: established, from_server; content: "-----BEGIN CERTIFICATE-----"; depth: 27; http_server_body; content: "BggrBgEFBQcwAoaD"; distance: 0; http_server_body; reference: url, cxsecurity.com/issue/WLB-2016110046; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000757; rev: 1;)
210
211alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] iOS 10.1.x Remote memory corruption through certificate file Attempt"; flow: established, from_server; content: "-----BEGIN CERTIFICATE-----"; depth: 27; http_server_body; content: "YIKwYBBQUHMAKGgw"; distance: 0; http_server_body; reference: url, cxsecurity.com/issue/WLB-2016110046; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000758; rev: 1;)
212
213alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] iOS 10.1.x Remote memory corruption through certificate file Attempt"; flow: established, from_server; content: "-----BEGIN CERTIFICATE-----"; depth: 27; http_server_body; content: "GCCsGAQUFBzAChoM"; distance: 0; http_server_body; reference: url, cxsecurity.com/issue/WLB-2016110046; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000759; rev: 1;)
214
215alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] Apple macOS 10.12.1/iOS 10 OCSP DDoS Attempt (CVE-2016-7636)"; flow: established, from_server, only_stream; content: "|16 03|"; depth: 2; content: "|16 03|"; content: "|0B|"; distance: 3; within: 1; content: "|30 83|"; content: "|30|"; distance: 3; within: 1; content: "|06 08 2B 06 01 05 05 07 30 02 86|"; distance: 1; within: 11; byte_jump: 1, 0, relative; content: "|30|"; content: "|06 08 2B 06 01 05 05 07 30 02 86|"; distance: 1; within: 11; byte_jump: 1, 0, relative; content: "|30|"; pcre: "/(?:[^\x06]+\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86){10,}/"; reference: cve, 2016-7636; reference: url, cxsecurity.com/issue/WLB-2016100213; reference: url, rules.ptsecurity.com; classtype: attempted-dos; sid: 10000495; rev: 1;)
216
217alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "ATTACK [PTsecurity] GNU Wget http request"; content: "wget"; http_user_agent; nocase; depth: 4; flowbits: set, 10000062; flowbits: noalert; reference: cve, 2016-4971; reference: url, legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000062; rev: 2;)
218
219alert http $EXTERNAL_NET any -> $HOME_NET any (msg: "ATTACK [PTsecurity] GNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution"; flowbits: isset, 10000062; content: "30"; http_stat_code; depth: 2; content: "Location: ftp://"; nocase; http_header; reference: cve, 2016-4971; reference: url, legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000063; rev: 2;)
220
221alert tcp any any -> any any (msg: "ATTACK [PTsecurity] PHP Object Deserialization RCE POP Chain (Guzzle/RCE1)"; flow: established; content: "GuzzleHttp"; content: "Psr7"; distance: 0; content: "FnStream"; distance: 0; content: "close"; distance: 0; content: "GuzzleHttp"; distance: 0; content: "HandlerStack"; distance: 0; content: "resolve"; distance: 0; reference: url, github.com/ambionics/phpggc; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10003494; rev: 2;)