Rule History

SID: 2051827 • Source: et/open

Versions (6)

Version DetailsCurrent

Rev: 2 • Mar 28, 2024, 12:00 PM

Message:

ET EXPLOIT RoundCube Webmail Persistent XSS Attempt (CVE-2023-43770)

Rule:

alert smtp any any -> [$SMTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT RoundCube Webmail Persistent XSS Attempt (CVE-2023-43770)"; flow:established,to_server; content:"Content-Type: text/plain|3b|"; content:"|0a 0a 5b 3c|"; fast_pattern; pcre:"/^[^\x3e\x0d\x0a]*?(?:[\x20\x27\x22\x2f]on[a-z]+\x3d|(?:\x3cs(?:cript[\x3a\x3e\x20\x2b\x2f]|tyle\x3d)|\x3ciframe[\x20\x2f]))/R"; reference:cve,2023-43770; classtype:attempted-user; sid:2051827; rev:2; metadata:attack_target Networking_Equipment, created_at 2024_03_28, cve CVE_2023_43770, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2026_01_14;)

Created:

Mar 28, 2024, 12:00 PM

Updated:

Jan 14, 2026, 12:00 PM

DB Created:

Sep 21, 2024, 3:00 AM

DB Updated:

Jan 14, 2026, 11:34 PM

Filename:

rules/emerging-exploit.rules