p>alert tcp any any -> any $HTTP_PORTS (msg:"Telerik Vulnerable Versions HTTP GET"; content:"Telerik.Web.UI%2c+Version%3d20"; fast_pattern; offset: 0; depth: 500; pcre:"/Telerik\.Web\.UI%2c\+Version%3d20(?:0(?:7\.(?:1(4(?:2[3-9]|[3-9]\d)|[5-9]\d{2})|[2-9]\d{3}|\d{5,})|[89]\.)|1(?:[0-6]\.|7\.(?:[12]\.|3\.(?:\d{1,2}|[1-8]\d{2}|9(?:0\d|1[0-3]))\D)))/"; reference:cve,http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9248; classtype:web-application-activity; sid: 50000001; rev: 1;) alert tcp any $HTTP_PORTS -> any any (msg:"Telerik Vulnerable Versions HTTP Response"; content:"Telerik.Web.UI, Version=20"; fast_pattern; offset: 0; depth: 500; pcre:"/Telerik\.Web\.UI, Version=20(?:0(?:7\.(?:1(4(?:2[3-9]|[3-9]\d)|[5-9]\d{2})|[2-9]\d{3}|\d{5,})|[89]\.)|1(?:[0-6]\.|7\.(?:[12]\.|3\.(?:\d{1,2}|[1-8]\d{2}|9(?:0\d|1[0-3]))\D)))/"; reference:cve,http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9248; classtype:web-application-activity; sid: 50000002; rev: 1;) alert tcp any any -> any $HTTP_PORTS (msg:"Telerik Possible Encryption Key Disclosure Attempt"; content:"GET"; offset: 0; depth: 3; content:"/Telerik.Web.UI.DialogHandler.aspx?dp="; fast_pattern; offset: 0; depth: 500; reference:url,https://www.exploit-db.com/exploits/43873; classtype:web-application-attack; sid: 50000003; rev: 1;) alert tcp any any -> any $HTTP_PORTS (msg:"Telerik Possible Arbitrary File Upload Attempt"; content:"GET"; offset: 0; depth: 3; content:"/Telerik.Web.UI.WebResource.axd?dp="; fast_pattern; offset: 0; depth: 500; reference:url,https://www.exploit-db.com/exploits/43874; classtype:web-application-attack; sid: 50000004; rev: 1;) alert tcp any any -> any $HTTP_PORTS (msg:"Telerik RAU_Crypto File Upload Exploit"; content:"POST /Telerik.Web.UI.WebResource.axd?type=rau"; fast_pattern; offset:0; depth:45; content:"Accept-Encoding: identity"; distance:0; within:500; content:"boundary=---------------------------68821516528156"; distance:0; within:500; reference:url,https://www.exploit-db.com/exploits/43874; classtype:web-application-attack; sid: 50000005; rev:1; )