Versions (6)
Version DetailsCurrent
Rev: 2 • Jul 24, 2025, 5:44 PMATTACK [PTsecurity] SVN/Git Remote Code Execution through malicious (svn+,git+)ssh:// URL (Multiple CVEs)
alert http any any -> any any (msg: "ATTACK [PTsecurity] SVN/Git Remote Code Execution through malicious (svn+,git+)ssh:// URL (Multiple CVEs)"; flow: established, from_server; content: "30"; http_stat_code; depth: 2; content: "Location:"; http_header; nocase; content: "ssh://"; nocase; http_header; distance: 0; pcre: "/ssh:\/\/(?:[^@\s]+@)?(?:[\w\:\.\-\[\]\@]+[^\w\:\.\-\[\]\@\/\ ]|[^\w\:\.\-\[\]\@\/\ ][\w\:\.\-\[\]\@])/Hi"; reference: cve, 2017-9800; reference: cve, 2017-12426; reference: cve, 2017-1000116; reference: cve, 2017-1000117; reference: url, subversion.apache.org/security/CVE-2017-9800-advisory.txt; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10001763; rev: 2;)
Jul 24, 2025, 5:44 PM
Jul 24, 2025, 5:44 PM
Oct 16, 2025, 10:34 AM
Oct 16, 2025, 10:34 AM
rules/ptopen-attacks.rules