alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT rConfig < 3.9.7 SQLi (CVE-2020-10546)"; flow:established,to_server; http.uri; content:"/compliancepolicies.inc.php"; nocase; fast_pattern; content:"searchOption=contains"; content:"searchField=antani"; pcre:"/[^&]*(?:S(?:HOW.+(?:C(?:HARACTER.+SET|UR(DATE|TIME))|(?:VARI|T)ABLES)|ELECT.+(?:FROM|USER))|U(?:NION.+SELEC|PDATE.+SE)T|DELETE.+FROM|INSERT.+INTO|\/\*.+\*\/|EXEC)/Ri"; reference:url,github.com/theguly/exploits/blob/master/CVE-2020-10546.py; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-10546; classtype:attempted-admin; sid:2033639; rev:2; metadata:attack_target Web_Server, created_at 2021_08_02, cve CVE_2020_10546, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_08_02;)