Rule History

alert http [$HOME_NET,$HTTP_SERVERS] any -> any any (msg:"ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - SetupWizard Auth Bypass Vulnerable Version Detected (CVE-2024-1709 CVE-2024-1708)"; flow:established,to_client; http.server; content:"ScreenConnect/"; fast_pattern; startswith; pcre:"/^(?:[3456789]|2(?:[012]|3\.(?:[012345678]|9\.[1234567]))?|1\d?)\./R"; threshold:type limit, count 1, seconds 3600, track by_src; reference:url,s1creenconnect.connectwise.com/download/archive; reference:url,www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8; reference:cve,2024-1709; reference:cve,2024-1708; classtype:web-application-activity; sid:2050990; rev:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_02_21, cve CVE_2024_1709, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Informational, tag CISA_KEV, updated_at 2024_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:src_ip;)