alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Oracle Weblogic Server Deserialization RCE T3 (CVE-2015-4852)"; flow:established,to_server; content:"|00 00|"; startswith; content:"|01 65|"; distance:2; within:2; content:"|ac ed 00|"; distance:0; content:"weblogic.rjvm.ClassTableEntry"; fast_pattern; distance:0; reference:cve,2015-4852; reference:url,www.exploit-db.com/exploits/46628; classtype:attempted-admin; sid:2035204; rev:1; metadata:created_at 2022_02_15, cve CVE_2015_4852, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_15;)