Skip to content

Instantly share code, notes, and snippets.

@fox-srt
Last active April 30, 2018 18:48
Show Gist options
  • Save fox-srt/5833c307db6a3e620b4ff5b137106dd3 to your computer and use it in GitHub Desktop.
Save fox-srt/5833c307db6a3e620b4ff5b137106dd3 to your computer and use it in GitHub Desktop.
Snort coverage for TR-069 SOAP RCE
alert tcp $EXTERNAL_NET any -> $HOME_NET 7547 (msg:"FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit incoming"; flow:established,to_server; content:"POST"; depth:4; content:"/UD/act?1"; content:"urn:dslforum-org:service:Time:1#SetNTPServers"; threshold: type limit, track by_dst, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:1; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 7547 (msg:"FOX-SRT – Exploit – TR-069 SOAP RCE NewNTPServer exploit outgoing"; flow:established,to_server; content:"POST"; depth:4; content:"/UD/act?1"; content:"urn:dslforum-org:service:Time:1#SetNTPServers"; threshold: type limit, track by_src, count 1, seconds 60; classtype:attempted-admin; reference:url,blog.fox-it.com/2016/11/28/recent-vulnerability-in-eir-d1000-router-used-to-spread-updated-version-of-mirai-ddos-bot; sid:2; rev:1;)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment