alert http $HOME_NET any -> any any (msg:"ET INFO Commvault Server Hostname Observed in HTTP Response"; flow:established,to_client; http.response_body; content:"activeMQConnectionURL"; fast_pattern; content:"tcp|3a 2f 2f|"; reference:url,labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/; classtype:misc-activity; sid:2064058; rev:3; metadata:affected_product Commvault, attack_target Server, tls_state TLSDecrypt, created_at 2025_08_20, deployment Perimeter, deployment Internal, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_20, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1082, mitre_technique_name System_Information_Discovery; target:dest_ip;)