alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DI-804HV DNS Changer Exploit Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/cgi-bin/prim"; startswith; content:"prim&rf=0004&"; fast_pattern; content:"&ID00="; distance:0; content:"&ID01="; distance:0; reference:url,cujo.com/dns-hijacking-attacks-on-home-routers-in-brazil/; classtype:attempted-admin; sid:2031809; rev:1; metadata:affected_product Router, attack_target Networking_Equipment, created_at 2021_03_04, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag DNS_Hijack, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_04;)