Rule History

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Netgear R6260 Mini_httpd Buffer Overflow Attempt - Possible RCE (CVE-2021-34979)"; flow:established,to_server; http.header; content:"SOAPAction|3a 20|"; content:"urn:NETGEAR-ROUTER:service:"; within:30; fast_pattern; content:!"|0d 0a|"; within:131; pcre:"/^SOAPAction\x3a\x20\x22?urn\x3aNETGEAR-ROUTER\x3aservice\x3a.{128,}(?!:\d#)/Hm"; http.request_body; content:"|3c 3f|xml"; startswith; reference:url,nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-netgear-nday.html; reference:cve,2021-34979; classtype:trojan-activity; sid:2035446; rev:1; metadata:attack_target Networking_Equipment, created_at 2022_03_14, cve CVE_2021_34979, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, updated_at 2022_03_14;)