56416

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Security Manager XmpFileDownloadServlet directory traversal attempt"; flow:to_server,established; content:"/cwhp/XmpFileDownloadServlet"; fast_pattern:only; http_uri; content:"downloadDirectory"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?downloadDirectory((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:cve,2020-27130; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csm-path-trav-NgeRnqgR; classtype:web-application-attack; sid:56416; rev:1;)

-

medium

Identify the source and destination and check if Cisco Security Manager is installed. If needed- consult with IT and OT personnel. If its installed - may be part of exploitation by malicious actor and attempt of leveraging some vulnerability. If no this specific application is involved, its false positive and can be disabled.