Rule History

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Eir D1000 Modem CWMP Exploit RCE"; flow:to_server,established; http.header; content:"urn|3a|dslforum-org|3a|service|3a|Time|3a|1#SetNTPServers"; fast_pattern; http.request_body; content:"NewNTPServer"; content:">"; distance:0; within:5; pcre:"/^.{0,10}[\x3b\x0a\x26\x60\x7c\x24]/R"; reference:url,devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/; reference:md5,a19d5b596992407796a33c5e15489934; classtype:trojan-activity; sid:2023548; rev:7; metadata:affected_product Eir_D1000_Modem, attack_target Networking_Equipment, created_at 2016_11_28, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2025_07_08;)