Rule History

alert http any any -> $HOME_NET 5984 (msg:"ET EXPLOIT Apache CouchDB JSON Remote Privesc Attempt (CVE-2017-12635)"; flow:established,to_server,only_stream; http.method; content:"PUT"; http.uri; content:"/_users/"; http.request_body; content:"_admin"; fast_pattern; reference:cve,2017-12635; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/vulnerabilities-apache-couchdb-open-door-monero-miners/; classtype:attempted-admin; sid:2025435; rev:4; metadata:attack_target Server, created_at 2018_03_19, cve CVE_2017_12635, deployment Datacenter, malware_family CoinMiner, signature_severity Major, updated_at 2020_11_05;)