alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS CloudPanel Insecure file-manager Cookie Authentication Content Upload (CVE-2023-35885)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/file-manager/backend/text"; fast_pattern; http.cookie; content:"clp-fm|3d|"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"id|3d 2f|"; content:"content|3d|"; reference:url,datack.my/fallingskies-cloudpanel-0-day/; reference:cve,2023-35885; classtype:web-application-activity; sid:2056091; rev:1; metadata:attack_target Server, tls_state plaintext, created_at 2024_09_24, cve CVE_2023_35885, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_09_24, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)