alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER MegaRAC Redfish Authentication Bypass via HTTP Header Spoofing (CVE-2023-34329)"; flow:established,to_server; http.uri; content:"/redfish/v1/"; fast_pattern; startswith; http.host; pcre:"/^[^\d]*?(?:10\.(?:25[0-5]|2[0-4]\d|[01]?\d{1,2})\.(?:25[0-5]|2[0-4]\d|[01]?\d{1,2})\.(?:25[0-5]|2[0-4]\d|[01]?\d{1,2}))|(?:172\.(?:1[6-9]|2\d|3[0-1])\.(?:25[0-5]|2[0-4]\d|[01]?\d{1,2})\.(?:25[0-5]|2[0-4]\d|[01]?\d{1,2}))|(?:192\.168\.(?:25[0-5]|2[0-4]\d|[01]?\d{1,2})\.(?:25[0-5]|2[0-4]\d|[01]?\d{1,2})|127\.0\.0\.1|localhost|169\.254\.0\.17)/"; reference:url,eclypsium.com/blog/eclypsium-releases-tools-for-detecting-ami-megarac-bmc-vulnerabilities/; reference:cve,2023-34329; classtype:web-application-attack; sid:2065041; rev:1; metadata:affected_product MegaRAC_Redfish, attack_target Server, tls_state TLSDecrypt, created_at 2025_10_03, cve CVE_2023_34329, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)