alert http any any -> $HOME_NET any (msg:"ET EXPLOIT TP-Link TL-WR840N EU v5 RCE Attempt (CVE-2021-41653)"; flow:established,to_server; http.request_line; content:"POST /cgi?2"; startswith; fast_pattern; http.request_body; content:"|5b|IPPING|5f|DIAG|23|"; nocase; content:"host="; distance:0; nocase; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,k4m1ll0.com/cve-2021-41653.html; reference:url,www.fortinet.com/blog/threat-research/manga-aka-dark-mirai-based-campaign-targets-new-tp-link-router-rce-vulnerability; reference:cve,2021-41653; classtype:attempted-admin; sid:2034677; rev:2; metadata:attack_target Networking_Equipment, created_at 2021_12_11, cve CVE_2021_41653, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_11;)