Rule History

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT ZKBioSecurity SQL Injection Attempt (CVE-2022-36635)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/baseOpLog.do"; bsize:13; http.request_body; content:"opTime"; fast_pattern; pcre:"/^(?:Begin|End)\=/PR"; content:"|27|"; distance:0; content:"|2f 2a|"; distance:0; content:"|2a 2f|"; distance:0; reference:url,medium.com/stolabs/cve-2022-36635-a-sql-injection-in-zksecuritybio-to-rce-c5bde2962d47; reference:cve,2022-36635; classtype:attempted-admin; sid:2039129; rev:1; metadata:affected_product IoT, attack_target IoT, created_at 2022_10_07, cve CVE_2022_36635, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_07, reviewed_at 2024_09_19, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)