Rule History

SID: 2032340 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 1 • Mar 29, 2021, 12:00 PM

Message:

ET WEB_SPECIFIC_APPS Possible Apache Druid RCE Inbound (CVE-2021-25646)

Rule:

alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Druid RCE Inbound (CVE-2021-25646)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|type|22 3a 20 22|javascript|22|"; fast_pattern; content:"|22|function|22 3a 20|"; pcre:"/^\x22[^\x22]*\x7b[^\x22]*\x7d[^\x22]*\x22[^\x22]*\x22{2}/Rm"; reference:cve,2021-25646; classtype:attempted-admin; sid:2032340; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2021_03_29, cve CVE_2021_25646, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_29;)

Created:

Mar 29, 2021, 12:00 PM

Updated:

Mar 29, 2021, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Sep 15, 2025, 9:36 PM

Filename:

rules/emerging-web_specific_apps.rules