alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400)"; flow:established,to_server; http.cookie; content:"SESSID="; startswith; content:"/opt/panlogs/tmp/device_telemetry/"; distance:0; fast_pattern; pcre:"/(?:\x60|\x7b).*(?:\x24\x7bIFS\x7d|\x2c)/R"; reference:cve,2024-3400; reference:url,labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/; reference:url,www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3400-on-palo-alto-networks-globalprotect-devices/; classtype:trojan-activity; sid:2052122; rev:2; metadata:affected_product Palo_Alto_Networks, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_04_16, cve CVE_2024_3400, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_05_17, reviewed_at 2024_10_04, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)