alert http [$HOME_NET,$HTTP_SERVERS] 8009 -> any any (msg:"ET EXPLOIT Possible [401TRG] GhostCat LFI Successful Exploit (CVE-2020-1938)"; flow:established,to_client; http.response_body; content:"|3c 3f|xml|20|version|3d 22|"; startswith; content:"Licensed|20|to|20|the|20|Apache|20|Software|20|Foundation|20 28|ASF|29 20|under|20|one|20|or|20|more|0a 20 20|contributor|20|license|20|agreements|2e|"; content:"The|20|ASF|20|licenses|20|this|20|file|20|to|20|You|20|under|20|the|20|Apache|20|License|2c 20|Version"; content:"aee/web-app_"; fast_pattern; content:"_"; distance:1; within:1; content:"|2e|xsd|22|"; content:"|3c|display|2d|name|3e|"; content:"|3c 2f|display|2d|name|3e|"; content:"|3c|description|3e|"; flowbits:isset,ET.GhostCat; reference:cve,2020-1938; reference:url,trendmicro.com/en_us/research/20/c/busting-ghostcat-an-analysis-of-the-apache-tomcat-vulnerability-cve-2020-1938-and-cnvd-2020-10487.html; classtype:attempted-admin; sid:2046149; rev:2; metadata:affected_product Apache_Tomcat, attack_target Web_Server, created_at 2023_06_07, cve CVE_2020_1938, deployment Perimeter, confidence Low, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_08, reviewed_at 2024_01_26;)