alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Possible Apache Druid RCE Inbound (CVE-2021-25646)"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|22|type|22 3a 20 22|javascript|22|"; fast_pattern; content:"|22|function|22 3a 20|"; pcre:"/^\x22[^\x22]*\x7b[^\x22]*\x7d[^\x22]*\x22[^\x22]*\x22{2}/Rm"; reference:cve,2021-25646; classtype:attempted-admin; sid:2032340; rev:1; metadata:affected_product Apache_HTTP_server, attack_target Server, created_at 2021_03_29, cve CVE_2021_25646, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_29;)