alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager getObjectData Insecure Deserialization RCE (CVE-2023-31099)"; flow:established,to_server; pcre:"/\x0d\x0a[rR][eE][gG][iI][oO][nN][iI][dD]\x3a\s*(?P<reqid>[^\x0d\x0a]+).*regReqID.*?(?P=reqid)/s"; http.uri; content:"/servlet/com.me.opmanager.extranet.remote.communication.fw.fe.RegionalListener"; fast_pattern; http.header; content:"authkey|3a|"; nocase; content:"regionid|3a|"; nocase; content:"method|3a|"; nocase; http.request_body; content:"|ac ed 00 05|"; startswith; content:"|24|DataObject"; content:"|00 00 00 18|"; distance:0; content:"|78|"; distance:0; pcre:"/^[\x9c\xda]/R"; reference:url,xz.aliyun.com/news/12662; reference:cve,2023-31099; classtype:web-application-attack; sid:2066289; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_11, cve CVE_2023_31099, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)