Rule History

SID: 10000048 • Source: ptrules/open

Versions (6)

Version DetailsCurrent

Rev: 3 • Jul 24, 2025, 5:44 PM

Message:

ATTACK [PTsecurity] Apache Continuum <= v1.4.2 CMD Injection

Rule:

alert http any any -> any any (msg: "ATTACK [PTsecurity] Apache Continuum <= v1.4.2 CMD Injection"; content: "POST"; http_method; content: "/continuum/saveInstallation.action"; offset: 0; depth: 34; http_uri; content: "installation.varValue="; nocase; http_client_body; pcre: "/^[^&]*(?:\x60|%60|\x7c|%7c|\x3b|%3b|\x24\x28|%24%28|\x24\x7b|%24%7b|%0a)/iRP"; flow: to_server, established; reference: url, exploit-db.com/exploits/39886; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10000048; rev: 3;)

Created:

Jul 24, 2025, 5:44 PM

Updated:

Jul 24, 2025, 5:44 PM

DB Created:

Oct 16, 2025, 10:34 AM

DB Updated:

Oct 16, 2025, 10:34 AM

Filename:

rules/ptopen-attacks.rules