alert http any any -> $HOME_NET any (msg:"ET EXPLOIT HikVision Arbitrary Directory Traversal Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/orgManage/v1/orgs/download?fileName="; fast_pattern; pcre:"/^(\x2e{1,2}\x2f)/Ri"; reference:url,github.com/wy876/POC/blob/main/%E6%B5%B7%E5%BA%B7%E5%A8%81%E8%A7%86%E7%BB%BC%E5%90%88%E5%AE%89%E9%98%B2download%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md; classtype:attempted-recon; sid:2053704; rev:1; metadata:affected_product HikVision, created_at 2024_06_17, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_06_18, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)