Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Microsoft SQL RCE Attempt (CVE-2020-0618)"; flow:established,to_server; urilen:37; http.method; content:"POST"; http.uri; content:"/ReportServer/pages/ReportViewer.aspx"; http.request_body; content:"NavigationCorrector|24|PageState|3d|NeedsCorrection|26|NavigationCorrector|24|ViewState|3d|"; startswith; fast_pattern; content:"|26 5f 5f|VIEWSTATE|3d|"; endswith; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/euphrat1ca/CVE-2020-0618; classtype:web-application-attack; sid:2029476; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2020_02_18, cve CVE_2020_0618, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2022_03_24, reviewed_at 2024_02_29;)