Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Sophos Web Appliance Pre-Auth Command Injection Attempt (CVE-2023-1671)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|index|2e|php|3f|c|3d|blocked|26|action|3d|continue"; bsize:36; http.request_body; content:"args_reason=filetypewarn&url="; startswith; fast_pattern; content:"&filetype="; content:"&user_encoded="; reference:url,sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce; classtype:attempted-admin; sid:2049632; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_12_11, cve CVE_2023_1671, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag cve_2023_1671, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_11, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)