alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible SolarWinds Orion RCE Inbound (CVE-2021-31474)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/Action/TestAction"; fast_pattern; http.request_body; content:"$type|22 3a 20 22|System.Byte|5b 5d|,|20|mscorlib"; content:"$value|22 3a 20 22|"; distance:0; pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})/R"; reference:cve,2021-31474; classtype:attempted-admin; sid:2033035; rev:1; metadata:attack_target Server, created_at 2021_05_27, cve CVE_2021_31474, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_05_27;)