alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti Connect Secure Shared Object File Upload Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dana/uploadlog/uploadlog.cgi"; startswith; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name|3d 22|uploaded_file|22 3b 20|filename|3d 22|"; content:"Content-Type|3a 20|application/zip|0d 0a 0d 0a|ELF"; within:300; reference:url,blog.amberwolf.com/blog/2024/october/cve-2024-37404-ivanti-connect-secure-authenticated-rce-via-openssl-crlf-injection/; classtype:web-application-attack; sid:2056579; rev:1; metadata:affected_product Ivanti, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_10_09, cve CVE_2024_37404, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_09; target:dest_ip;)