Rule History

SID: 2039466 • Source: et/open

Versions (4)

Version DetailsCurrent

Rev: 2 • Oct 19, 2022, 12:00 PM

Message:

ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound)

Rule:

alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible Apache Text4shell RCE Attempt DNS Prefix (CVE-2022-42889) (Inbound)"; flow:established,to_server; http.uri; content:"|3d 24 7b|dns|3a|address|7c|"; fast_pattern; content:"|7d|"; distance:0; reference:cve,2022-42889; reference:url,sysdig.com/blog/cve-2022-42889-text4shell; classtype:attempted-admin; sid:2039466; rev:2; metadata:affected_product Apache_HTTP_server, attack_target Web_Server, created_at 2022_10_19, cve CVE_2022_42889, deployment Perimeter, deployment SSLDecrypt, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_24;)

Created:

Oct 19, 2022, 12:00 PM

Updated:

Oct 24, 2022, 12:00 PM

DB Created:

Oct 19, 2022, 9:00 PM

DB Updated:

Aug 28, 2025, 9:34 PM

Filename:

rules/emerging-exploit.rules