56415

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Security Manager XmpFileDownloadServlet directory traversal attempt"; flow:to_server,established; content:"/cwhp/XmpFileDownloadServlet"; fast_pattern:only; http_uri; content:"downloadDirectory="; nocase; http_client_body; pcre:"/(^|&)downloadDirectory=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2020-27130; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR; classtype:web-application-attack; sid:56415; rev:1;)

-

medium

Identify the source and destination and check if Cisco Security Manager is installed. If needed- consult with IT and OT personnel. If its installed - may be part of exploitation by malicious actor and attempt of leveraging some vulnerability. If no this specific application is involved, its false positive and can be disabled.