Rule History

alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2013-0156 Ruby On Rails XML POST to Disallowed Type SYMBOL"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|20|type="; nocase; fast_pattern; content:"symbol"; distance:0; nocase; pcre:"/<[^>]*\stype\s*=\s*[\x22\x27]symbol[\x22\x27]/i"; http.content_type; pcre:"/^(?:application\/(?:x-)?|text\/)xml/"; reference:url,groups.google.com/forum/?hl=en&fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ; classtype:web-application-activity; sid:2016176; rev:7; metadata:created_at 2013_01_09, confidence Medium, signature_severity Major, updated_at 2022_07_14;)