alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Suspected Solarwinds Serv-U Backdoor (Incoming)"; flow:established,to_client; file.data; content:"RhinoSoft"; content:"Serv-U"; distance:0; content:"\\r\\nCRhinoUintAttr\\r\\nLastHour\\r\\n"; fast_pattern; content:".Archive"; content:"Serv-U-Tray.exe"; content:"window.close|28 29|"; reference:md5,2443968bb4d1c9f5e99d4dd09fd754af; reference:url,www.cadosecurity.com/post/triage-analysis-of-serv-u-ftp-user-backdoor-deployed-by-cve-2021-35211; classtype:trojan-activity; sid:2033321; rev:2; metadata:attack_target Server, created_at 2021_07_14, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_14;)