alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] 4000 (msg:"ET EXPLOIT Apache Tomcat Tribes EncryptInterceptor Bypass Remote Code Execution (CVE-2026-34486)"; flow:established,to_server; content:"|46 4c 54 32 30 30 32|"; startswith; content:"|ac ed 00 05|"; distance:0; content:"|74 00 00 71 00 7e 00 05 74 00 04 68 74 74 70 70 78 74 00 03 70 6f 63 78 54 4c 46 32 30 30 33|"; distance:0; fast_pattern; reference:url,www.striga.ai/research/tomcat-tribes-unauth-rce; reference:url,github.com/projectdiscovery/nuclei-templates/blob/f53616baf9fa1bf3faccb24f49d508c16b0d0c87/http/cves/2026/CVE-2026-34486.yaml; reference:cve,2026-34486; classtype:attempted-user; sid:2069474; rev:1; metadata:affected_product Apache_Tomcat, attack_target Server, created_at 2026_05_28, cve CVE_2026_34486, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2026_05_28, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)