Rule History

alert http any any -> any any (msg: "ATTACK [PTsecurity] vBulletin 5.x pre-auth RCE"; flow: established, to_server; content: "POST"; http_method; content: "routestring"; http_client_body; content: "widget_php"; within: 30; http_client_body; pcre: "/ajax.{1,6}render.{1,6}widget_php/P"; pcre: "/widgetConfig.{1,6}code/P"; reference: url, seclists.org/fulldisclosure/2019/Sep/31; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10005417; rev: 3;)