alert http $HOME_NET 4081 -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS Kerio Control HTTP Response Splitting (CVE-2024-52875)"; flow:established,to_client; http.stat_code; content:"302"; http.header_names; content:"Location|0d 0a 0d 0a|"; http.response_body; content:"Server|3a 20|Kerio Control"; fast_pattern; reference:url,karmainsecurity.com/hacking-kerio-control-via-cve-2024-52875; reference:cve,2024-52875; classtype:web-application-activity; sid:2059030; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_08, cve CVE_2024_52875, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:src_ip;)