alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible Oracle Reports Forms RCE CVE-2012-3152"; flow:established,to_server; http.uri; content:"/reports/rwservlet?"; nocase; content:"JOBTYPE"; nocase; content:"rwurl"; nocase; content:"URLPARAMETER"; nocase; pcre:"/^\s*?=\s*?[\x22\x27]?(?:f(?:ile|tp)|gopher|https?|mailto)\s*?\x3a/Ri"; reference:url,netinfiltration.com; classtype:web-application-attack; sid:2018092; rev:3; metadata:created_at 2014_02_07, cve CVE_2012_3152, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_27;)