Versions (3)
Version DetailsCurrent
Rev: 3 • Aug 20, 2025, 12:00 PMET INFO Commvault Server Hostname Observed in HTTP Response
alert http $HOME_NET any -> any any (msg:"ET INFO Commvault Server Hostname Observed in HTTP Response"; flow:established,to_client; http.response_body; content:"activeMQConnectionURL"; fast_pattern; content:"tcp|3a 2f 2f|"; reference:url,labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/; classtype:misc-activity; sid:2064058; rev:3; metadata:affected_product Commvault, attack_target Server, tls_state TLSDecrypt, created_at 2025_08_20, deployment Perimeter, deployment Internal, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_20, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; target:dest_ip;)
Aug 20, 2025, 12:00 PM
Jan 20, 2026, 12:00 PM
Aug 20, 2025, 9:35 PM
Jan 20, 2026, 9:34 PM
rules/emerging-info.rules