alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Gitlab Account Takeover Attempt (CVE-2023-7028)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/users/password"; http.request_body; content:"authenticity_token|3d|"; startswith; pcre:"/^[A-Za-z0-9_]{86}/R"; content:"&user%5Bemail%5D%5B%5D|3d|"; fast_pattern; nocase; content:"&user%5Bemail%5D%5B%5D|3d|"; distance:0; within:100; reference:url,attackerkb.com/topics/VBDvNxhyjr/cve-2023-7028; reference:cve,2023-7028; classtype:attempted-admin; sid:2050097; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2024_01_16, cve CVE_2023_7028, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_01_16, reviewed_at 2024_10_03; target:dest_ip;)