YARA rules for CVE-2021-3521
2 rules · scoped to cve · back to CVE-2021-3521
YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.
rule SUSP_ServU_SSH_Error_Pattern_Jul21_1 {
meta:
description = "Detects suspicious SSH component exceptions that could be an indicator of exploitation attempts as described in advisory addressing CVE-2021-35211 in ServU services"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ"
date = "2021-07-12"
score = 60
id = "1a89f0b0-445c-5867-94cd-f07ba1becad6"
strings:
$s1 = "EXCEPTION: C0000005;" ascii
$s2 = "CSUSSHSocket::ProcessReceive();" ascii
condition:
filename == "DebugSocketlog.txt"
and all of ($s*)
}
rule SUSP_ServU_Known_Mal_IP_Jul21_1 {
meta:
description = "Detects suspicious IP addresses used in exploitation of ServU services CVE-2021-35211 and reported by Solarwinds"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211#FAQ"
date = "2021-07-12"
score = 60
id = "118272a7-7ec9-568b-99e0-8cfe97f3f64e"
strings:
$xip1 = "98.176.196.89" ascii fullword
$xip2 = "68.235.178.32" ascii fullword
$xip3 = "208.113.35.58" ascii fullword
$xip4 = "144.34.179.162" ascii fullword
$xip5 = "97.77.97.58" ascii fullword
condition:
filename == "DebugSocketlog.txt"
and 1 of them
}