alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT UPnP UUID Password Change Exploit Attempt Inbound - XR300 PoC Gadgets (CVE-2021-34991)"; flow:established,to_server; http.method; content:"SUBSCRIBE"; http.header; content:"UUID|3a 20|"; fast_pattern; http.request_body; content:"|b7 05 00|"; content:"|e0 e7 02|"; distance:10; within:10; reference:url,kb.netgear.com/000064361/Security-Advisory-for-Pre-Authentication-Buffer-Overflow-on-Multiple-Products-PSV-2021-0168; reference:url,blog.grimm-co.com/2021/11/seamlessly-discovering-netgear.html; reference:cve,2021-34991; classtype:attempted-admin; sid:2034493; rev:2; metadata:attack_target Server, created_at 2021_11_18, cve CVE_2021_34991, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2021_11_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)