alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Inbound Hashicorp Consul RCE via Services API"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"v1/agent/service/register"; fast_pattern; http.request_body; content:"|22|sh|22|"; content:"|22|-c|22|"; reference:url,www.exploit-db.com/exploits/46074; classtype:attempted-admin; sid:2031675; rev:1; metadata:attack_target Web_Server, created_at 2021_02_26, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_02_26;)