Rule History

SID: 2048259 • Source: et/open

Versions (5)

Version DetailsCurrent

Rev: 2 • Sep 26, 2023, 12:00 PM

Message:

ET WEB_SPECIFIC_APPS Oracle WebLogic Server OS Command Injection Attempt Inbound (CVE-2017-3506)

Rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Oracle WebLogic Server OS Command Injection Attempt Inbound (CVE-2017-3506)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/wls-wsat/coordinatorporttype"; nocase; bsize:29; fast_pattern; http.request_body; content:"<string>"; pcre:"/^(?:\x2fbin\x2f|\w+\.exe)/R"; reference:url,www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html; reference:url,nvd.nist.gov/vuln/detail/CVE-2017-3606; reference:cve,2017-3506; classtype:attempted-admin; sid:2048259; rev:2; metadata:attack_target Web_Server, created_at 2023_09_26, cve CVE_2017_3506, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2025_08_06, reviewed_at 2023_09_26; target:dest_ip;)

Created:

Sep 26, 2023, 12:00 PM

Updated:

Aug 6, 2025, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Aug 6, 2025, 8:34 PM

Filename:

rules/emerging-web_specific_apps.rules