Et rule 2025534 - Magic-SigExplorer

""ET WEB_SPECIFIC_APPS Drupalgeddon2 <8.3.9 <8.4.6 <8.5.1 RCE Through Registration Form (CVE-2018-7600)""

SID: 2025534

Revision: 2

Class Type: attempted-admin

Metadata: affected_product Drupal_Server, attack_target Web_Server, created_at 2018_04_26, deployment Datacenter, signature_severity Minor, tag drupalgeddon, updated_at 2018_04_26

Reference:

Link

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HTTP_SERVERS

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

Value: "user/password"
Value: "POST"
Value: "_triggering_element_name"

Within:

PCRE: "/(?:%(?:25)?23|#)\s*(access_callback|pre_render|post_render|lazy_builder)/U"

Special Options:

http_uri
http_method
http_client_body

source