Rule History

alert tcp any any -> $HOME_NET [61616:61617] (msg:"ET EXPLOIT Apache ActiveMQ Remote Code Execution Attempt (CVE-2023-46604)"; flow:established,to_server; xbits:set,ET.CVE-2023-46604.attempt, track ip_dst, expire 300; stream_size:server,<,500; content:"|01 01|"; content:"org.springframework.context.support.ClassPathXmlApplicationContext|01|"; nocase; within:70; fast_pattern; content:"http"; within:10; content:"|3a 2f 2f|"; within:4; reference:url,attackerkb.com/topics/IHsgZDE3tS/cve-2023-46604; reference:url,activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt; reference:url,github.com/X1r0z/ActiveMQ-RCE; reference:cve,2023-46604; classtype:attempted-admin; sid:2049045; rev:2; metadata:attack_target Server, created_at 2023_11_02, cve CVE_2023_46604, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Critical, tag CISA_KEV, updated_at 2023_11_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)