Rule History

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22515 Step 1/2 Success"; flow:established,to_client; flowbits:isset,ET.CVE-2023-22515.step1.request; http.stat_code; content:"200"; http.response_body; content:"|3c 2f|div|3e 3c 21 2d 2d 20 5c 23|sidebar|2d|container|20 2d 2d 3e 0a 0a 20 20 20 20 20 20 20 20|success|0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f|main|3e 3c 21 2d 2d 20 5c 23|main|20 2d 2d 3e 0a|"; fast_pattern; reference:url,confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html; reference:url,www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/; reference:url,attackerkb.com/topics/Q5f0ItSzw5/cve-2023-22515/rapid7-analysis; reference:cve,2023-22515; reference:cve,2023-22515; classtype:successful-admin; sid:2048544; rev:1; metadata:affected_product Atlassian_Confluence, attack_target Web_Server, created_at 2023_10_12, cve CVE_2023_22515, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Critical, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_12, reviewed_at 2023_10_12; target:src_ip;)