rule bulwark_https_bulwarkblack_com_cisco_sdwan_cve_2026_20245_edge_controller_defense
{
    meta:
        author = "Bulwark Black LLC"
        source = "https://bulwarkblack.com/cisco-sdwan-cve-2026-20245-edge-controller-defense/"
        description = "Auto-extracted indicators. Verify before use; not a behavioral detection rule."
        generated = "2026-07-15T22:30:42Z"
        tlp = "TLP:CLEAR"
        indicator_count = "11"
    strings:
        $s0 = "20.12.7.1" ascii wide nocase  // IPv4
        $s1 = "20.12.7.2" ascii wide nocase  // IPv4
        $s2 = "20.15.4.4" ascii wide nocase  // IPv4
        $s3 = "20.15.4.5" ascii wide nocase  // IPv4
        $s4 = "20.15.5.2" ascii wide nocase  // IPv4
        $s5 = "20.15.5.3" ascii wide nocase  // IPv4
        $s6 = "20.18.3.1" ascii wide nocase  // IPv4
        $s7 = "20.9.9.1" ascii wide nocase  // IPv4
        $s8 = "20.9.9.2" ascii wide nocase  // IPv4
        $s9 = "26.1.1.1" ascii wide nocase  // IPv4
        $s10 = "26.1.1.2" ascii wide nocase  // IPv4
    condition:
        any of ($s*)
}
