This detection rule is designed to identify attempts to exploit the CVE-2025-24813 vulnerability in Apache Tomcat through unauthorized file uploads. The initial stage of the attack is characterized by an attacker trying to upload a malicious .session file via an HTTP PUT request. When successful, these uploads generate HTTP status codes 201 (Created) or 409 (Conflict) and set the stage for subsequent deserialization attacks by placing harmful content where Tomcat's session management can access it. The rule targets web traffic logs, looking specifically for patterns consistent with known exploitation attempts of the vulnerability in question.