SonicWall SSL/VPN Jarrewrite Exploitation
Detects exploitation attempts of the SonicWall Jarrewrite Exploit
Sigma rule (View on GitHub)
1title: SonicWall SSL/VPN Jarrewrite Exploitation
2id: 6f55f047-112b-4101-ad32-43913f52db46
3status: test
4description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit
5references:
6 - https://web.archive.org/web/20210126045316/https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
7 - https://github.com/darrenmartyn/VisualDoor
8author: Florian Roth (Nextron Systems)
9date: 2021-01-25
10modified: 2023-04-27
11tags:
12 - attack.t1190
13 - attack.initial-access
14 - detection.emerging-threats
15logsource:
16 category: webserver
17detection:
18 selection:
19 cs-uri-query|contains: '/cgi-bin/jarrewrite.sh'
20 cs-user-agent|contains:
21 - ':;'
22 - '() {'
23 - '/bin/bash -c'
24 condition: selection
25fields:
26 - c-ip
27 - c-dns
28falsepositives:
29 - Unknown
30level: high
References
-
I�ve been sitting on this one for quite a while now, and figured what with SonicWall back in the news for getting owned via some 0days in their own shit products, it would be somewhat amusing…
Read More -
SonicWall SSL-VPN Exploit. Contribute to darrenmartyn/VisualDoor development by creating an account on GitHub.
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations
- Atlassian Bitbucket Command Injection Via Archive API
- CVE-2010-5278 Exploitation Attempt