alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Successful FortiOS Auth Bypass Attempt - Config Leaked (CVE-2022-40684)"; flow:established,to_client; flowbits:isset,ET.CVE-2022-40684; http.response_body; content:"#config-version="; startswith; content:"user=Local_Process_Access|0a|#conf_file_ver="; within:500; fast_pattern; content:"|0a|#buildno="; within:500; reference:url,www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684/; reference:url,github.com/horizon3ai/CVE-2022-40684/blob/master/CVE-2022-40684.py; reference:cve,2022-40684; classtype:successful-admin; sid:2039485; rev:1; metadata:affected_product Web_Server_Applications, affected_product Fortigate, attack_target Web_Server, created_at 2022_10_20, cve CVE_2022_40684, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_10_20; target:src_ip;)