alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT WinRAR WinAce Containing CVE-2018-20250 Inbound - Path Traversal leading to RCE"; flow:established,from_server; http.stat_code; content:"200"; file.data; content:"**ACE**"; offset:7; depth:7; fast_pattern; content:"|00|"; distance:0; pcre:"/^(?:(\S\:\\){2,}|\S\:\\\S\:\S\:|S\:\\\\\\([0-9]{1,3}\.){3}[0-9]{1,3}|\S\:\\\\\\([a-z0-9\-]{1,30}\.){1,8}[a-z]{1,8})/R"; classtype:attempted-admin; sid:2027310; rev:4; metadata:created_at 2019_05_01, cve CVE_2018_20250, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag WinRAR, tag ACE, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)