From e5f63bf35c996c178f28628a29e13578a7e171ec Mon Sep 17 00:00:00 2001
From: Seth Grover <mero.mero.guero@gmail.com>
Date: Wed, 13 Dec 2023 12:33:49 -0700
Subject: [PATCH] idaholab/Malcolm#251; include CVE-2023-28771 rule based on
 Zyxel SektorCERT Report

---
 .../OT/malcolm/CVE-2023-28771_Zyxel.rules       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 suricata/default-rules/OT/malcolm/CVE-2023-28771_Zyxel.rules

diff --git a/suricata/default-rules/OT/malcolm/CVE-2023-28771_Zyxel.rules b/suricata/default-rules/OT/malcolm/CVE-2023-28771_Zyxel.rules
new file mode 100644
index 000000000..0d633a768
--- /dev/null
+++ b/suricata/default-rules/OT/malcolm/CVE-2023-28771_Zyxel.rules
@@ -0,0 +1,17 @@
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show users"; nocase; sid:1000001; rev:1;)
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show sessions"; nocase; sid:1000002; rev:1;)
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show configuration"; nocase; sid:1000003; rev:1;)
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show running-config"; nocase; sid:1000004; rev:1;)
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"show firewall rule"; nocase; sid:1000005; rev:1;)
+alert udp any any -> any 500 (msg:"Potential CVE-2023-28771 Exploit Detected"; content:"export config"; nocase; sid:1000006; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/mipskiller"; sid:1000007; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/mipskiller"; sid:1000008; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/proxy2"; sid:1000009; rev:1;)
+alert tcp any any -> any 8080 (msg: "Potential Zyxel Payload connection"; content:"/proxy2"; sid:1000009; rev:1;)
+alert tcp any any -> any 8081 (msg: "Potential Zyxel Payload connection"; content:"/proxy2"; sid:1000010; rev:1;)
+alert tcp any any -> any 82 (msg: "Potential Zyxel Payload connection"; content:"/fuckjewishpeople.mips"; sid:1000011; rev:1;)
+alert tcp any any -> any 8080 (msg: "Potential Zyxel Payload connection"; content:"/mips"; sid:1000012; rev:1;)
+alert tcp any any -> any 8080 (msg: "Potential Zyxel Payload connection"; content:"/mpsl"; sid:1000013; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/bins/paraiso.mips"; sid:1000014; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/bins/libcurl1337.mips"; sid:1000015; rev:1;)
+alert tcp any any -> any any (msg: "Potential Zyxel Payload connection"; content:"/proxy1"; sid:1000016; rev:1;)
\ No newline at end of file