""ET ATTACK_RESPONSE Possible CVE-2016-1287 Inbound Reverse CLI Shellcode""

SID: 2022819

Revision: 1

Class Type: attempted-admin

Metadata: created_at 2016_05_18, cve CVE_2016_1287, updated_at 2016_05_18

Reference:

• Link

Protocol: udp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: 500

Flow: to_server

Contents:

• Value: "|ff ff ff|tcp/CONNECT/3/"

Within:

PCRE: "/^(?:\d{1,3}.){3}\d{1,3}\/\d+\x00$/Ri"

Special Options:

source