Rule History

alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Possible Scanning for Vulnerable JBoss"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/invoker/"; depth:9; content:"servlet/"; http.request_body; content:"org.jboss.invocation.MarshalledValue"; http.content_type; content:"application/x-java-serialized-object|3b|"; endswith; reference:url,blog.imperva.com/2015/12/zero-day-attack-strikes-again-java-zero-day-vulnerability-cve-2015-4852-tracked-by-imperva.html; classtype:web-application-attack; sid:2022240; rev:3; metadata:created_at 2015_12_09, confidence Medium, signature_severity Minor, updated_at 2020_06_09;)