Add new rules

Add "ATTACK [PTsecurity] Raisecom GPON RCE via command injection (CVE-2019-7385)" Add "ATTACK [PTsecurity] Raisecom GPON RCE via command injection (CVE-2019-7384)"
ptresearch · Feb 15, 2019 · a47ac89 · a47ac89
1 parent bf65d53
commit a47ac89
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 1 deletion.
diff --git a/pt.rules.tar.gz b/pt.rules.tar.gz
diff --git a/pt.rules.tar.gz.md5 b/pt.rules.tar.gz.md5
@@ -1 +1 @@
-c972fc7dcb0d12bef6718753ce90c330
+690c88429686211724195ae684fc178a
diff --git a/raisecom_gpon_rce/raisecom_gpon_rce.rules b/raisecom_gpon_rce/raisecom_gpon_rce.rules
@@ -0,0 +1,3 @@
+alert http any any -> any any (msg: "ATTACK [PTsecurity] Raisecom GPON RCE via command injection (CVE-2019-7385)"; flow: established, to_server; content: "POST"; http_method; content: "/boaform/formPasswordSetup"; http_uri; content: "confpass"; http_client_body; pcre: "/(newpass|confpass)\s*=\s*\x60/P"; reference: cve, 2019-7385; reference: url, s3curityb3ast.github.io/KSA-Dev-006.md; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; classtype: attempted-admin; sid: 10004526; rev: 1;)
+
+alert http any any -> any any (msg: "ATTACK [PTsecurity] Raisecom GPON RCE via command injection (CVE-2019-7384)"; flow: established, to_server; content: "POST"; http_method; content: "/boaform/admin/formgponConf"; http_uri; content: "fmgpon_loid"; http_client_body; pcre: "/fmgpon_loid\s*=\s*(\x7c|%7c)/P"; reference: cve, 2019-7384; reference: url, s3curityb3ast.github.io/KSA-Dev-005.md; reference: url, github.com/ptresearch/AttackDetection; metadata: Open Ptsecurity.com ruleset; classtype: attempted-admin; sid: 10004527; rev: 1;)