alert http any any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible CVE-2017-12629 XXE Exploit Attempt (URI)"; flow:to_server,established; flowbits:set,ET.CVE-2017-12629; http.uri; content:"?q=|7b 21|xmlparser"; content:"|3d 27 3c 21|DOCTYPE"; nocase; distance:0; fast_pattern; pcre:"/^(?:(?!\x0d\x0a).)+\x22(?:https?|file):\x2f\x2f/R"; reference:url,www.exploit-db.com/exploits/43009/; classtype:web-application-attack; sid:2024885; rev:3; metadata:affected_product Apache_Solr, attack_target Web_Server, created_at 2017_10_20, cve CVE_2017_12629, deployment Datacenter, confidence Medium, signature_severity Major, updated_at 2020_08_13;)