A Zeek detector for CVE-2022-24497.CVE-2022-24497
=================================
A Zeek detector for CVE-2022-24497:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24497
Example notices from the testing PCAP:
```
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2022-04-13-21-45-25
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions email_dest suppress_for remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] set[string] interval string string string double double
1649885952.829925 CHhAvVGS1DHFjwGM9 192.168.88.146 685 192.168.88.157 111 - - - tcp CVE202224497::POTENTIAL_CVE_2022_24497 Possible CVE-2022-24497 exploit attempt. An RPC portmap getport and portmap dump were observed. - 192.168.88.146 192.168.88.157 111 - - Notice::ACTION_LOG (empty) 3600.000000 - - - - -
#close 2022-04-13-21-45-25
```
[4.0K] /data/pocs/21cb3f9e50ac9a0f74fe64fbe7a9b8600a252596
├── [ 49] COPYING
├── [1.5K] LICENSE
├── [1.1K] README.md
├── [4.0K] scripts
│ ├── [ 992] cve_2022_24497.sig
│ ├── [ 45] __load__.zeek
│ └── [ 409] main.zeek
├── [4.0K] testing
│ ├── [4.0K] Baseline
│ │ └── [4.0K] cve202224497.run-pcap
│ │ ├── [ 729] conn.log
│ │ ├── [1.0K] notice.log
│ │ └── [ 115] output
│ ├── [ 565] btest.cfg
│ ├── [4.0K] cve202224497
│ │ └── [ 258] run-pcap.zeek
│ ├── [4.0K] Files
│ │ └── [ 192] random.seed
│ ├── [ 28] Makefile
│ ├── [4.0K] Scripts
│ │ ├── [ 383] diff-remove-timestamps
│ │ ├── [1.3K] get-zeek-env
│ │ └── [ 303] README
│ └── [4.0K] Traces
│ └── [1.1K] CVE-2022-24497.pcap
└── [ 297] zkg.meta
8 directories, 18 files