Rule History

SID: 2038637 • Source: et/open

Versions (5)

Version DetailsCurrent

Rev: 1 • Aug 29, 2022, 12:00 PM

Message:

ET ATTACK_RESPONSE Possible WebShell Upload Attempt via Directory Traversal M1

Rule:

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible WebShell Upload Attempt via Directory Traversal M1"; flow:to_server,established; http.method; content:"POST"; http.request_body; content:"./"; content:"filename=|22|"; fast_pattern; pcre:"/^[^\x22]+(\.{1,2}\/)+(\w+\/?)+\.(jsp|aspx?|php)\x22/R"; classtype:attempted-admin; sid:2038637; rev:1; metadata:created_at 2022_08_29, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_08_29, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:dest_ip;)

Created:

Aug 29, 2022, 12:00 PM

Updated:

Aug 29, 2022, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Sep 1, 2025, 8:35 PM

Filename:

rules/emerging-attack_response.rules