alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER Possible D-Link Router HNAP Protocol Security Bypass Attempt"; flow:established,to_server; urilen:7; http.method; content:"POST"; http.uri; content:"/HNAP1/"; nocase; endswith; fast_pattern; http.header; content:"SOAPAction|3a 20|"; nocase; content:"/HNAP1/"; distance:0; pcre:"/^(?:set|get)/Ri"; content:"DeviceSettings"; within:14; reference:url,www.securityfocus.com/bid/37690; classtype:web-application-attack; sid:2010698; rev:6; metadata:created_at 2010_07_30, confidence Medium, signature_severity Unknown, updated_at 2020_11_02;)