alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link 850L Password Extract Attempt"; flow:to_server,established; urilen:11; http.method; content:"POST"; http.uri; content:"/hedwig.cgi"; fast_pattern; http.request_body; content:"DEVICE.ACCOUNT"; reference:url,blogs.securiteam.com/index.php/archives/3364; classtype:attempted-recon; sid:2024913; rev:3; metadata:attack_target IoT, created_at 2017_10_25, deployment Perimeter, signature_severity Major, updated_at 2020_08_13;)