alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Netlink GPON Remote Code Execution Attempt (Inbound)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:23; content:"/boaform/admin/formPing"; fast_pattern; http.request_body; content:"target_addr=|3b|"; startswith; reference:url,blog.netlab.360.com/multiple-fiber-routers-are-being-compromised-by-botnets-using-0-day-en/; reference:url,www.exploit-db.com/exploits/48225; classtype:attempted-admin; sid:2029976; rev:2; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2020_04_20, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_04_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)