Rule History

alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"ET WEB_SPECIFIC_APPS Possible Oracle Weblogic IIOP/T3 JNDI Injection Attack (CVE-2024-20931)"; flow:established,to_server; content:"java.naming.factory.initial"; fast_pattern; content:"jmsInitialContextFactory"; within:60; content:"datasource"; within:20; content:"ldap|3a 2f 2f|"; pcre:"/^(\d{1,3}\.){3}\d{1,3}\x3a\d{1,5}\x2f/R"; reference:url,attackerkb.com/topics/GizBcG19y2/cve-2024-20931; reference:cve,2024-20931; classtype:attempted-admin; sid:2050791; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_02_12, cve CVE_2024_20931, deployment Perimeter, deployment Internal, performance_impact Low, confidence Low, signature_severity Major, updated_at 2024_02_12; target:dest_ip;)