alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Inductive Automation remoteSystemID Check (CVE-2023-39476)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/system/ws-control-servelet?name="; startswith; fast_pattern; content:"uuid="; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}/R"; content:"url=http|3a 2f 2f|localhost/system"; endswith; http.header_names; content:"Connection|0d 0a|"; content:"Sec-WebSocket-Version|0d 0a|"; content:"Sec-WebSocket-Key|0d 0a|"; content:"Upgrade|0d 0a|"; content:"User-Agent|0d 0a|"; content:"Host|0d 0a|"; reference:url,www.zerodayinitiative.com/advisories/ZDI-23-1046/; reference:url,xz.aliyun.com/t/12813; reference:cve,2023-39476; classtype:attempted-admin; sid:2047920; rev:1; metadata:created_at 2023_09_05, cve CVE_2023_39476, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_09_05, reviewed_at 2024_10_02; target:dest_ip;)