Rule History

alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Remote Code Execution via NMAP Scan"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/restAPI/v2/nmap/run/scan/"; startswith; http.request_body; content:"form-data|3b 20|name=|22|ipAddress|22 0d 0a 0d 0a|--script="; fast_pattern; pcre:"/^\/(?:home\/a3user|root)\/agile3\/patches\//R"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:attempted-admin; sid:2029985; rev:1; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2020_04_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)