alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CrushFTP working_dir Template Injection Attempt (CVE-2024-4040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WebInterface/function/?command|3d|"; fast_pattern; startswith; content:"c2f|3d|"; content:"path|3d 7b|working_dir|7d|"; content:"names|3d|"; http.cookie; content:"CrushAuth|3d|"; content:"c2f|3d|"; distance:0; reference:cve,2024-4040; reference:url,attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis; classtype:attempted-recon; sid:2052277; rev:1; metadata:affected_product CrushFTP, attack_target FTP_Server, tls_state TLSDecrypt, created_at 2024_04_26, cve CVE_2024_4040, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_04_26, mitre_tactic_id TA0009, mitre_tactic_name Collection, mitre_technique_id T1005, mitre_technique_name Data_from_local_system; target:dest_ip;)