alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Apache Struts RCE Attempt (CVE-2020-17530)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"="; pcre:"/^(%25|%)(%7b|{)(%28|\()(%23|#)/R"; content:"instancemanager"; nocase; fast_pattern; pcre:"/^(%3d|=)(%23|#)application(%5b|\[)(%22|")org(%2e|\.)apache(%2e|\.)tomcat(%2e|\.)instancemanager(%22|")(%5d|\])(%29|\))(%2e|\.)(%28|\()(%23|#)(ognlstack|stack)(%3d|=)(%23|#)attr(%5b|\[)(%22|")com(%2e|\.)opensymphony(%2e|\.)xwork2(%2e|\.)util(%2e|\.)valuestack(%2e|\.)valuestack(%22|")(%5d|\])(%29|\))(%2e|\.)(%28|\()(%23|#)/Rsi"; content:"bean"; distance:0; within:200; content:"java"; distance:0; within:400; content:"execute"; distance:0; pcre:"/^(%2e|\.)exec/Ri"; reference:cve,2020-17530; classtype:attempted-admin; sid:2035009; rev:2; metadata:attack_target Server, created_at 2022_01_28, cve CVE_2020_17530, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2022_01_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)