title: SonicWall SSL/VPN Jarrewrite Exploit
id: 6f55f047-112b-4101-ad32-43913f52db46
status: test
description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit
references:
    - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
author: Florian Roth (Nextron Systems)
date: 2021/01/25
modified: 2023/01/02
tags:
    - attack.t1190
    - attack.initial_access
logsource:
    category: webserver
detection:
    selection:
        cs-uri-query|contains: '/cgi-bin/jarrewrite.sh'
        cs-user-agent|contains:
            - ':;'
            - '() {'
            - '/bin/bash -c'
    condition: selection
fields:
    - c-ip
    - c-dns
falsepositives:
    - Unknown
level: high