alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP Arbitrary File Read Attempt (CVE-2024-4040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/?command|3d|"; fast_pattern; startswith; content:"c2f|3d|"; content:"path|3d 3c|INCLUDE|3e 2f|"; content:"names|3d|"; http.cookie; content:"CrushAuth|3d|"; content:"c2f|3d|"; distance:0; reference:cve,2024-4040; reference:url,attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis; classtype:web-application-attack; sid:2052276; rev:1; metadata:affected_product CrushFTP, attack_target FTP_Server, tls_state TLSDecrypt, created_at 2024_04_26, cve CVE_2024_4040, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_04_26, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1567, mitre_technique_name Exfiltration_Over_Web_Service; target:dest_ip;)