alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Oracle Reports OS Command Injection Attempt"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"report="; http_uri; nocase; pcre:"/(showenv|parsequery|rwservlet)\?.*report=.*\.(rdf|rep)/Ui"; reference:url,www.oracle.com/technology/products/reports/index.html; reference:url,www.red-database-security.com/advisory/oracle_reports_run_any_os_command.html; classtype:web-application-activity; sid:2002133; rev:11; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_08_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)