Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_server; flowbits:set,ET.CVE-2023-49105.request; http.method; content:!"OPTIONS"; http.uri; content:"/remote.php/dav"; fast_pattern; content:"OC-Credential="; nocase; content:"OC-Verb="; nocase; content:"OC-Expires="; nocase; content:"OC-Date="; nocase; content:"OC-Signature="; nocase; pcre:"/^[a-f0-9]{64}(?:&|$)/R"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:attempted-admin; sid:2049617; rev:2; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49105, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)