alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Hikvision IP Camera RCE Attempt (CVE-2021-36260)"; flow:established,to_server; http.method; content:"PUT"; http.uri; content:"/SDK/webLanguage"; bsize:16; fast_pattern; http.request_body; content:"|3c|language|3e|"; nocase; pcre:"/(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/CVE-2021-36260.py; reference:url,watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html; reference:url,www.fortinet.com/blog/threat-research/mirai-based-botnet-moobot-targets-hikvision-vulnerability; reference:cve,2021-36260; classtype:attempted-admin; sid:2034630; rev:2; metadata:affected_product IP_Camera, attack_target Networking_Equipment, created_at 2021_12_08, cve CVE_2021_36260, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_08;)