Rule History

alert http $HOME_NET any -> any 80 (msg:"ET EXPLOIT Possible Command Injection via User-Agent (PwnAgent) - CVE-2023-24749, CVE-2022-47208"; flow:established,to_server; http.method; content:"GET"; http.user_agent; content:"|22 3b|"; content:"|3b 22|"; endswith; fast_pattern; reference:url,mahaloz.re/2023/02/25/pwnagent-netgear.html; reference:url,www.synacktiv.com/en/publications/cool-vulns-dont-live-long-netgear-and-pwn2own.html; reference:cve,2023-24749; reference:cve,2022-47208; classtype:attempted-admin; sid:2045636; rev:1; metadata:affected_product Netgear_Router, attack_target Networking_Equipment, created_at 2023_05_11, cve CVE_2023_24749_CVE_2022_47208, deployment Perimeter, deployment Internal, performance_impact Low, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_11, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)