alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Possible Oracle WebLogic CVE-2020-2551 Scanning"; flow:established,to_server; content:"|47 49 4f 50 01 02 00 03 00 00 00 17 00 00 00 02 00 00 00 00 00 00 00 0b 4e 61 6d 65 53 65 72 76 69 63 65|"; startswith; fast_pattern; reference:url,www.rapid7.com/db/vulnerabilities/oracle-weblogic-cve-2020-2551; reference:url,github.com/hktalent/CVE-2020-2551/blob/master/CVE-2020-2551.py; classtype:attempted-admin; sid:2030128; rev:1; metadata:attack_target Server, created_at 2020_05_08, cve CVE_2020_2551, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_08;)