alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Openfire Authentication Bypass With RCE (CVE-2023-32315)"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; content:"/setup/setup-s/%u002e%u002e/%u002e%u002e/user-create.jsp"; content:"csrf="; content:"username="; content:"password="; content:"passwordConfirm="; content:"isadmin=on"; fast_pattern; reference:url,blog.aquasec.com/kinsing-malware-exploits-novel-openfire-vulnerability; reference:url,github.com/miko550/CVE-2023-32315/blob/main/CVE-2023-32315.py; reference:cve,2023-32315; reference:url,nvd.nist.gov/vuln/detail/CVE-2023-32315; reference:url,packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html; classtype:attempted-admin; sid:2047862; rev:2; metadata:affected_product Web_Server_Applications, created_at 2023_08_31, cve CVE_2023_32315, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, reviewed_at 2023_08_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)