From a4bec724a6db4f0954b446c0a73a58d6eeb69fbb Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Mon, 25 Jan 2021 11:54:23 +0100
Subject: [PATCH] rule: SonicWall exploitation

---
 .../web/web_sonicwall_jarrewrite_exploit.yml  | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/web/web_sonicwall_jarrewrite_exploit.yml

diff --git a/rules/web/web_sonicwall_jarrewrite_exploit.yml b/rules/web/web_sonicwall_jarrewrite_exploit.yml
new file mode 100644
index 000000000..b96b9bd73
--- /dev/null
+++ b/rules/web/web_sonicwall_jarrewrite_exploit.yml
@@ -0,0 +1,27 @@
+title: SonicWall SSL/VPN Jarrewrite Exploit
+id: 6f55f047-112b-4101-ad32-43913f52db46
+status: experimental
+description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit
+author: Florian Roth
+date: 2021/01/25
+tags:
+    - attack.t1190
+    - attack.initial_access
+references:
+    - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri|contains: '/cgi-bin/jarrewrite.sh'
+        c-useragent|contains: 
+            - ':;'
+            - '() {'
+            - '/bin/bash -c'
+    condition: selection
+fields:
+    - c-ip
+    - c-dns
+falsepositives:
+    - Unknown
+level: high