Rule History

SID: 2018092 • Source: et/open

Versions (5)

Version DetailsCurrent

Rev: 3 • Feb 7, 2014, 12:00 PM

Message:

ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152

Rule:

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152"; flow:established,to_server; http.uri; content:"/reports/rwservlet?"; nocase; content:"JOBTYPE"; nocase; content:"rwurl"; nocase; content:"URLPARAMETER"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]?(?:f(?:ile|tp)|gopher|https?|mailto)\s*?\x3a/Ri"; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018092; rev:3; metadata:created_at 2014_02_07, cve CVE_2012_3152, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_27;)

Created:

Feb 7, 2014, 12:00 PM

Updated:

Apr 27, 2020, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Oct 6, 2025, 4:34 PM

Filename:

rules/emerging-web_server.rules