Rule History

alert tcp any any -> $HOME_NET 7001 (msg:"ET WEB_SERVER Oracle WebLogic Unauthenticated IIOP/T3 Remote Code Execution (CVE-2023-21839)"; flow:established,to_server; content:"GIOP|01 02 00 00|"; startswith; content:"rebind_any"; content:"weblogic|2e|jndi|2e|internal|2e|ForeignOpaqueReference"; fast_pattern; content:"ldap|3a 2f 2f|"; reference:url,packetstorm.news/files/id/172882; reference:cve,2023-21839; classtype:misc-attack; sid:2065403; rev:1; metadata:affected_product Oracle_WebLogic, attack_target Networking_Equipment, created_at 2025_10_27, cve CVE_2023_21839, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_27; target:dest_ip;)