Rule History

alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET CURRENT_EVENTS Possible Atlassian Confluence CVE-2023-22515 Scan Activity - Clone"; flow:established,to_server; http.uri; content:"/setup/setupadministrator.action"; fast_pattern; reference:url,confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html; reference:url,www.rapid7.com/blog/post/2023/10/04/etr-cve-2023-22515-zero-day-privilege-escalation-in-confluence-server-and-data-center/; reference:cve,2023-22515; classtype:attempted-recon; sid:2048581; rev:2; metadata:affected_product Atlassian_Confluence, attack_target Web_Server, created_at 2023_10_17, cve CVE_2023_22515, deployment Perimeter, deployment Internal, deployment SSLDecrypt, deprecation_reason Duplicate, performance_impact Low, confidence Medium, signature_severity Informational, tag CISA_KEV, updated_at 2023_12_14; target:dest_ip;)