Rule History

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/helpdesk/assetReport"; nocase; startswith; fast_pattern; http.request_body; content:"select"; nocase; content:"password"; nocase; http.content_type; content:"text/plain"; reference:url,blog.assetnote.io/2022/01/23/solarwinds-webhelpdesk-hsql-eval-harcoded-creds/; reference:cve,2021-35232; classtype:attempted-admin; sid:2034971; rev:1; metadata:created_at 2022_01_25, cve CVE_2021_35232, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_25;)