Rule History

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT NodeJS System Information Library Command Injection Attempt (CVE-2021-21315)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/getServices?name"; fast_pattern; pcre:"/^(?:\x28|\x29|\x3c|\x3e|\x26|\x2a|\xe2|\x80|\x98|\x7c|\x3f|\x3b|\x5b|\x5d|\x5e|\x7e|\x21|\x2e|\xe2|\x80|\x9d|\x25|\x40|\x2f|\x5c|\x3a|\x2b|\x2c|\x60)/R"; content:"|3d|"; distance:0; within:10; reference:cve,2021-21315; classtype:attempted-admin; sid:2034973; rev:2; metadata:attack_target Server, created_at 2022_01_25, cve CVE_2021_21315, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_25, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)