alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ARG-W4 ASDL Router DNS Changer Exploit Attempt"; flow:established,to_server; http.uri; content:"/form2dns.cgi?dnsmode=1&dns1="; nocase; content:"&dns2="; distance:0; content:"&dns3="; distance:0; content:"&submit.htm?dns.htm=send&save="; fast_pattern; distance:0; nocase; reference:url,csirt.bank.gov.ua/en/news/44; classtype:attempted-admin; sid:2027907; rev:4; metadata:attack_target Networking_Equipment, created_at 2019_08_23, deployment Perimeter, performance_impact Moderate, signature_severity Major, updated_at 2021_03_04;)