alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Metabase Pre-Auth RCE Attempt - CVE-2023-38646"; flow:established,to_server; http.uri; content:"/api/setup/validate"; fast_pattern; http.request_body; content:"|22|token|22|"; pcre:"/^\s?\x3a\s?\x22[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/R"; content:"|22|db|22|"; pcre:"/^\s?\x3a\s?\x22(?:[Zz][Ii][Pp]|[Mm][Ee][Mm])\x3a/R"; content:"|22|engine|22|"; content:"|22|h2|22|"; within:6; reference:url,twitter.com/httpvoid0x2f; reference:url,blog.assetnote.io/2023/07/22/pre-auth-rce-metabase/; reference:cve,2023-38646; classtype:attempted-admin; sid:2047012; rev:1; metadata:attack_target Web_Server, created_at 2023_08_01, cve CVE_2023_38646, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_08_02; target:dest_ip;)