Rule History

SID: 2025432 • Source: et/open

Versions (3)

Version DetailsCurrent

Rev: 4 • Mar 13, 2018, 12:00 PM

Message:

ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)

Rule:

alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12636)"; flow:established,to_server,only_stream; urilen:26; http.method; content:"PUT"; http.uri; content:"/_config/query_servers/cmd"; http.header; content:"Authorization|3a 20|Basic"; http.request_body; pcre:"/^\s*[\x22\x27]/"; reference:cve,2017-12636; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025432; rev:4; metadata:created_at 2018_03_13, cve CVE_2017_12636, deployment Datacenter, performance_impact Moderate, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_05;)

Created:

Mar 13, 2018, 12:00 PM

Updated:

Nov 5, 2020, 12:00 PM

DB Created:

Mar 13, 2018, 12:00 PM

DB Updated:

Sep 29, 2025, 9:34 PM

Filename:

rules/emerging-exploit.rules