alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass Response (CVE-2024-53704)"; flow:established,to_client; flowbits:isset,ET.CVE_2024_53704; http.header; content:"Set-Cookie|3a 20|swap|3d|"; fast_pattern; http.response_body; content:".userName|20 3d 20 22|"; content:".domainName|20 3d 20 22|"; reference:url,bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking; reference:cve,2024-53704; classtype:web-application-attack; sid:2060056; rev:1; metadata:affected_product SonicWall, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2025_02_13, cve CVE_2024_53704, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2025_02_13; target:src_ip;)