CVE-2022-24497

https://github.com/corelight/CVE-2022-24497
9 3 1 0 Last Push 9/15/22, 4:16 PM

CVE-2022-24497

A Zeek detector for CVE-2022-24497:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24497

Example notices from the testing PCAP:

#separator \x09
#set_separator	,
#empty_field	(empty)
#unset_field	-
#path	notice
#open	2022-04-13-21-45-25
#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	fuid	file_mime_type	file_desc	proto	note	msg	sub	src	dst	p	n	peer_descr	actions	email_dest	suppress_for	remote_location.country_code	remote_location.region	remote_location.city	remote_location.latitude	remote_location.longitude
#types	time	string	addr	port	addr	port	string	string	string	enum	enum	string	string	addr	addr	port	count	string	set[enum]	set[string]	interval	string	string	string	double	double
1649885952.829925	CHhAvVGS1DHFjwGM9	192.168.88.146	685	192.168.88.157	111	-	-	-	tcp	CVE202224497::POTENTIAL_CVE_2022_24497	Possible CVE-2022-24497 exploit attempt.  An RPC portmap getport and portmap dump were observed.	-	192.168.88.146	192.168.88.157	111	-	-	Notice::ACTION_LOG	(empty)	3600.000000	-	-	-	-	-
#close	2022-04-13-21-45-25

Package Version :

Description :

TODO: A more detailed description of CVE202224497.
It can span multiple lines, with this indentation.

Script Dir :

scripts

Test Command :

cd testing && btest -c btest.cfg

Depends :

zeek >=4.0.0

Description :

A CVE-2022-24497 detector.

Script Dir :

scripts

Test Command :

cd testing && btest -c btest.cfg

Depends :

zeek >=4.0.0