alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Tomcat admin-blank login credentials"; flow:to_server,established; flowbits:set,ET.Tomcat.login.attempt; http.uri; content:"/manager/html"; nocase; http.header; content:"|0d 0a|Authorization|3a| Basic YWRtaW46|0d 0a|"; reference:url,tomcat.apache.org; classtype:attempted-admin; sid:2009218; rev:8; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, updated_at 2020_04_22;)