Rule History

alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache Kafka UI Unsanitized Groovy Script Filter Remote Code Execution Attempt (CVE-2023-52251)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/clusters/"; startswith; content:"/topics/"; distance:0; within:50; content:"/messages?q|3d 22|"; within:50; content:"|28 29 26|filterQueryType|3d|GROOVY_SCRIPT"; distance:0; fast_pattern; reference:url,attackerkb.com/topics/ATJ1hTVB8H/cve-2023-52251; reference:cve,2023-52251; classtype:attempted-admin; sid:2050499; rev:1; metadata:affected_product Apache_Kafka, attack_target Web_Server, created_at 2024_01_25, cve CVE_2023_52251, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_01_25, reviewed_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)