Rule History

SID: 2030804 • Source: et/open

Versions (5)

Version DetailsCurrent

Rev: 1 • Aug 27, 2020, 12:00 PM

Message:

ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)

Rule:

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Pulse Secure VPN RCE Inbound (CVE-2020-8218)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/downloadlicenses.cgi?cmd=download"; content:"&txtVLSAuthCode="; distance:0; fast_pattern; http.uri.raw; content:"%3b"; reference:url,www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/; classtype:attempted-admin; sid:2030804; rev:1; metadata:affected_product Pulse_Secure, created_at 2020_08_27, cve CVE_2020_8218, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_27;)

Created:

Aug 27, 2020, 12:00 PM

Updated:

Aug 27, 2020, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Sep 16, 2025, 8:36 PM

Filename:

rules/emerging-exploit.rules