alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Ivanti Cloud Services Appliance Path Traversal Exploit Attempt (CVE-2024-8963)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2f|client|2f|index|2e|php|3f 2e|php|2f|gsb|2f|"; startswith; fast_pattern; content:"|2e|php"; endswith; reference:cve,2024-8190; reference:url,fortinet.com/blog/threat-research/burning-zero-days-suspected-nation-state-adversary-targets-ivanti-csa; reference:url,forums.ivanti.com/s/article/Security-Advisory-Ivanti-Cloud-Service-Appliance-CSA-CVE-2024-8190; classtype:attempted-admin; sid:2056685; rev:1; metadata:affected_product Ivanti, created_at 2024_10_15, cve CVE_2024_8963, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_10_15, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)