Versions (5)
Version DetailsCurrent
Rev: 3 • Feb 25, 2020, 12:00 PMET EXPLOIT [401TRG] GhostCat LFI Attempt Inbound (CVE-2020-1938)
alert tcp any any -> $HOME_NET 8009 (msg:"ET EXPLOIT [401TRG] GhostCat LFI Attempt Inbound (CVE-2020-1938)"; flow:established,to_server; content:"|12 34|"; depth:2; content:"|00 08|HTTP/1.1|00|"; distance:0; content:"javax.servlet.include.path_info|00|"; nocase; distance:0; content:"javax.servlet.include.request_uri|00|"; content:"javax.servlet.include.servlet_path|00|"; flowbits:set,ET.GhostCat; reference:cve,2020-1938; reference:url,www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487; classtype:attempted-admin; sid:2029533; rev:3; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2020_02_25, cve CVE_2020_1938, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_08;)
Feb 25, 2020, 12:00 PM
Jun 8, 2023, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 19, 2025, 10:35 PM
rules/emerging-exploit.rules