Rule History

alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS [PT OPEN] Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/user/register"; http.request_body; content:"drupal"; pcre:"/(%23|#)(access_callback|pre_render|post_render|lazy_builder)/i"; reference:cve,2018-7600; reference:url,research.checkpoint.com/uncovering-drupalgeddon-2; classtype:attempted-admin; sid:2025494; rev:3; metadata:affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_13, deployment Datacenter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_25;)