alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Sunhillo SureLine Unauthenticated OS Command Injection Inbound (CVE-2021-36380)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/cgi/networkDiag.cgi"; http.request_body; content:"command="; startswith; nocase; content:"&ipAddr="; nocase; content:"&dnsAddr=|24 28|"; nocase; fast_pattern; reference:cve,2021-36380; classtype:attempted-admin; sid:2033459; rev:1; metadata:created_at 2021_07_27, cve CVE_2021_36380, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_27, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)