Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Inbound) M1"; flow:established,to_client; http.response_body; content:"|3c|head|3e 3c|title|3e|404|20|Not|20|Found|3c 2f|title|3e 3c 2f|head|3e|"; content:"|3c|center|3e 3c|h1|3e|404|20|Not|20|Found|3c 2f|h1|3e 3c 2f|center|3e|"; fast_pattern; content:"|3c|hr|3e 3c|center|3e|nginx|3c 2f|center|3e|"; flowbits:isset,ET.CVE-2023-20198.Outbound; reference:url,github.com/fox-it/cisco-ios-xe-implant-detection; reference:cve,2023-20198; classtype:attempted-recon; sid:2048740; rev:1; metadata:attack_target Networking_Equipment, created_at 2023_10_23, cve CVE_2023_20198, deployment Perimeter, deployment SSLDecrypt, performance_impact Significant, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_10_23, reviewed_at 2023_10_23;)