Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Fortigate VPN - Request to /remote/info - Possible CVE-2023-27997 Exploit Attempt"; flow:established,to_server; threshold: type limit, track by_src, count 1, seconds 120; http.method; content:"GET"; http.uri; content:"/remote/info"; fast_pattern; startswith; reference:cve,2023-27997; reference:url,blog.lexfo.fr/xortigate-cve-2023-27997.html; classtype:attempted-admin; sid:2046256; rev:1; metadata:affected_product Fortigate, attack_target Networking_Equipment, created_at 2023_06_13, cve CVE_2023_27997, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, tag CISA_KEV, updated_at 2023_06_13; target:dest_ip;)