Rule History

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT D-Link HNAP SOAPAction Command Injection (CVE-2015-2051, CVE-2019-10891, CVE-2022,37056, CVE-2024-33112, CVE-2025-11488, CVE-2025-63932)"; flow:established,to_server; http.uri; content:"/hnap1/"; nocase; http.header; content:"soapaction|3a 20|"; nocase; content:"http|3a 2f 2f|purenetworks|2e|com|2f|hnap1|2f|getdevicesettings"; within:60; fast_pattern; nocase; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,www.exploit-db.com/exploits/37171; reference:cve,2015-2051; reference:cve,2019-10891; reference:cve,2022-37056; reference:cve,2024-33112; reference:cve,2025-11488; reference:cve,2025-63932; classtype:attempted-admin; sid:2034491; rev:6; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2021_11_17, cve CVE_2015_2051, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_05, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)