alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Oracle WebLogic JNDI Injection RCE Attempt (CVE-2021-2109)"; flow:established,to_server; http.uri; content:"/consolejndi.portal?"; content:"_pageLabel=JNDIBindingPageGeneral"; content:"_nfpb=true"; content:"JNDIBindingPortletHandle=com.bea.console.handles.JndiBindingHandle("; content:"ldap|3a 2f 2f|"; distance:0; within:20; content:"|3b|AdminServer"; distance:0; fast_pattern; reference:url,mp.weixin.qq.com/s/wX9TMXl1KVWwB_k6EZOklw; reference:cve,2021-2109; reference:url,packetstormsecurity.com/files/161053/Oracle-WebLogic-Server-14.1.1.0-Remote-Code-Execution.html; classtype:attempted-user; sid:2031532; rev:2; metadata:affected_product Web_Server_Applications, attack_target Client_Endpoint, created_at 2021_01_20, cve CVE_2021_2109, deployment Perimeter, confidence High, signature_severity Major, updated_at 2021_01_26, reviewed_at 2024_05_07;)