title: SonicWall SSL/VPN Jarrewrite Exploit
id: 6f55f047-112b-4101-ad32-43913f52db46
status: experimental
description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit
author: Florian Roth
date: 2021/01/25
tags:
    - attack.t1190
    - attack.initial_access
references:
    - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains: '/cgi-bin/jarrewrite.sh'
        c-useragent|contains: 
            - ':;'
            - '() {'
            - '/bin/bash -c'
    condition: selection
fields:
    - c-ip
    - c-dns
falsepositives:
    - Unknown
level: high