alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Splunk Enterprise < 9.1.2 XML Injection (CVE-2023-46214)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"|2f|en|2d|US|2f|splunkd|2f 5f 5f|upload|2f|indexing|2f|preview|3f|"; fast_pattern; content:"props|2e|NO_BINARY_CHECK|3d|1"; content:"input|2e|path|3d|"; http.header; content:"X-Requested-With|3a 20|XMLHttpRequest"; content:"X-Splunk-Form-Key|3a 20|"; nocase; http.request_body; content:"|2e|xsl"; content:"Content-Type|3a 20|application/xslt+xml"; reference:url,blog.hrncirik.net/cve-2023-46214-analysis; reference:cve,2023-46214; classtype:web-application-attack; sid:2057031; rev:1; metadata:affected_product Splunk, attack_target Server, tls_state TLSDecrypt, created_at 2024_10_23, cve CVE_2023_46214, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_10_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)