alert http any any -> $HOME_NET any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:38; content:"/albatross/eurekaservice/fetchLogFiles"; fast_pattern; http.content_type; content:"application/json"; nocase; http.request_body; content:"|22|logFileNameList|22 3a 22|../"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; classtype:trojan-activity; sid:2029990; rev:2; metadata:attack_target Server, created_at 2020_04_21, deployment Perimeter, deployment Datacenter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2026_05_15;)