idaholab#251; include CVE-2023-28771 rule based on Zyxel SektorCERT R…

…eport
mmguero-dev · Dec 13, 2023 · e5f63bf · e5f63bf
1 parent 517c2b4
commit e5f63bf
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/suricata/default-rules/OT/malcolm/CVE-2023-28771_Zyxel.rules b/suricata/default-rules/OT/malcolm/CVE-2023-28771_Zyxel.rules
@@ -0,0 +1,17 @@
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show users"; nocase; sid:1000001; rev:1;)
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show sessions"; nocase; sid:1000002; rev:1;)
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show configuration"; nocase; sid:1000003; rev:1;)
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show running-config"; nocase; sid:1000004; rev:1;)
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show firewall rule"; nocase; sid:1000005; rev:1;)
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"export config"; nocase; sid:1000006; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/mipskiller"; sid:1000007; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/mipskiller"; sid:1000008; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/proxy2"; sid:1000009; rev:1;)
+alert tcp any any -> any 8080 (msg: "Potential Zyxel Payload connection"; content:"/proxy2"; sid:1000009; rev:1;)
+alert tcp any any -> any 8081 (msg: "Potential Zyxel Payload connection"; content:"/proxy2"; sid:1000010; rev:1;)
+alert tcp any any -> any 82 (msg: "Potential Zyxel Payload connection"; content:"/fuckjewishpeople.mips"; sid:1000011; rev:1;)
+alert tcp any any -> any 8080 (msg: "Potential Zyxel Payload connection"; content:"/mips"; sid:1000012; rev:1;)
+alert tcp any any -> any 8080 (msg: "Potential Zyxel Payload connection"; content:"/mpsl"; sid:1000013; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/bins/paraiso.mips"; sid:1000014; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/bins/libcurl1337.mips"; sid:1000015; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/proxy1"; sid:1000016; rev:1;)