alert tcp-pkt $HOME_NET [21,990,2100,2121,3535] -> any any (msg:"ET FTP Vulnerable WS_FTP Version in FTP Banner Response (CVE-2023-40044)"; flow:established,to_client; content:"220"; startswith; content:"WS_FTP|20|Server|20|"; fast_pattern; distance:0; pcre:"/^(8\.7\.[0-3])|(8\.[0-6]\.\d{1,})|(8\.8\.[0-1])(?:$|\x28)/R"; threshold:type limit, track by_src, seconds 3600, count 1; reference:url,www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044; reference:cve,2023-40044; classtype:network-scan; sid:2048464; rev:3; metadata:affected_product WS_FTP, attack_target FTP_Server, created_at 2023_10_05, cve CVE_2023_40044, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Minor, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_08_20, reviewed_at 2024_10_02; target:src_ip;)