Rule History

alert http $HOME_NET any -> any any (msg:"ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Response Valid License Request Token Disclosure"; flow:established,to_client; flowbits:isset,ET.GoAnywhere.CVE-2025-10035; http.stat_code; content:"302"; http.location; content:"/lic/request|3f|bundle|3d|"; fast_pattern; reference:url,labs.watchtowr.com/is-this-bad-this-feels-bad-goanywhere-cve-2025-10035/; classtype:web-application-attack; sid:2064921; rev:1; metadata:affected_product Fortra_GoAnywhere, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_25, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_09_25, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; target:dest_ip;)