alert tcp any any -> $HOME_NET 8009 (msg:"ET EXPLOIT [401TRG] GhostCat LFI Attempt Inbound (CVE-2020-1938)"; flow:established,to_server; content:"|12 34|"; depth:2; content:"|00 08|HTTP/1.1|00|"; distance:0; content:"javax.servlet.include.path_info|00|"; nocase; distance:0; content:"javax.servlet.include.request_uri|00|"; content:"javax.servlet.include.servlet_path|00|"; flowbits:set,ET.GhostCat; reference:cve,2020-1938; reference:url,www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487; classtype:attempted-admin; sid:2029533; rev:3; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2020_02_25, cve CVE_2020_1938, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_08;)