alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Apache Cocoon <= 2.1.x LFI (CVE-2020-11991)"; flow:established,to_server; http.uri; content:"/v2/api/product/manger/getInfo"; nocase; http.request_body; content:"ENTITY"; nocase; pcre:"/^\s+?[^\s\>]+?\s+?SYSTEM\s/Ri"; content:"DOCTYPE"; nocase; fast_pattern; content:"SYSTEM"; nocase; content:"file|3a|//"; nocase; distance:0; reference:url,www.cnblogs.com/0day-li/p/13663350.html; reference:url,github.com/projectdiscovery/nuclei; reference:cve,2020-11991; classtype:attempted-admin; sid:2033641; rev:1; metadata:created_at 2021_08_02, cve CVE_2020_11991, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_08_02;)