alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response"; flow:established,to_client; content:"|30 81|"; startswith; content:"|02 01|"; distance:1; within:2; content:"|64|"; distance:1; within:1; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0d|javaClassName"; within:20; fast_pattern; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0c|javaCodeBase"; within:19; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0b|objectClass"; within:18; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 0b|javaFactory"; within:18; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034722; rev:1; metadata:attack_target Client_and_Server, created_at 2021_12_14, cve CVE_2021_44228, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_14;)