alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT HP Enterprise VAN SDN Controller Upload Backdoor 2"; flow:established,to_server; http.uri; content:"/upload"; endswith; http.header; content:"X-Auth-Token|3a 20|AuroraSdnToken"; fast_pattern; content:".deb|0d 0a|"; http.request_body; content:"|7f|ELF"; depth:4; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hp_van_sdn_cmd_inject.rb; classtype:attempted-admin; sid:2026030; rev:4; metadata:attack_target Client_Endpoint, created_at 2018_08_24, deployment Datacenter, signature_severity Major, updated_at 2020_09_16;)