Rule History

alert http any any -> any any (msg: "ATTACK [PTsecurity] Ivanti Sentry RCE attempt (CVE-2023-38035)"; flow: established, to_server; http.uri; content: "/mics/services/MICSLogService"; http.header; content: "application/x-hessian"; http.request_body; content: "uploadFileUsingFileInput"; content: "command"; distance: 0; content: "isRoot"; reference: cve, 2023-38035; reference: url, horizon3.ai/ivanti-sentry-authentication-bypass-cve-2023-38035-deep-dive/; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10010662; rev: 1;)