Rule History

alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache ActiveMQ Jolokia addNetworkConnector Remote Code Execution Attempt (CVE-2026-34197)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:<14; content:"/api/jolokia"; fast_pattern; http.content_type; content:"application/json"; nocase; http.request_body; content:"|22|type|22|"; content:"|22|exec|22|"; within:15; content:"|22|mbean|22|"; content:"|22|operation|22|"; content:"|22|addNetworkConnector"; within:30; content:"|22|arguments|22|"; content:"|22|static|3a 28|vm|3a 2f 2f|"; within:30; content:"xbean|3a|http"; distance:0; reference:url,horizon3.ai/attack-research/disclosures/cve-2026-34197-activemq-rce-jolokia/; reference:cve,2026-34197; classtype:attempted-admin; sid:2068634; rev:3; metadata:affected_product Apache_ActiveMQ, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2026_04_08, cve CVE_2026_34197, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_05_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)