Rule History

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Discourse SNS Webhook RCE Inbound (CVE-2021-41163)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webhooks/aws"; nocase; fast_pattern; http.request_body; content:"|22|SubscribeURL|22 20 3a 20 22 7c|"; nocase; content:"|22|Signature|22 3a|"; nocase; reference:url,0day.click/recipe/discourse-sns-rce/; reference:cve,2021-41163; classtype:attempted-admin; sid:2034252; rev:1; metadata:attack_target Server, created_at 2021_10_25, cve CVE_2021_41163, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2021_10_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)