Et rule 2045307 - Magic-SigExplorer

""ET EXPLOIT Possible Oracle Opera RCE Attempt (CVE-2023-21932)""

SID: 2045307

Revision: 1

Class Type: attempted-admin

Metadata: attack_target Web_Server, created_at 2023_05_03, cve CVE_2023_21932, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_05_03

Reference:

cve
2023-21932

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established

Contents:

Value: "POST"
Value: "/Operajserv/webarchive/FileReceiver?filename=" Depth: 45
Value: "&jndiname="
Value: "&username="
Value: "Content-Type|3a 20|multipart/form-data|3b 20|boundary="
Value: !"Referer|3a 20|"

Within:

PCRE: "/\/Operajserv\/webarchive\/FileReceiver\?filename=[a-zA-Z]\x3a\x5cMICROS\x5c/U"

Special Options:

http_method
http_uri
nocase
fast_pattern
http_uri
http_uri
http_header
http_header

source