alert tcp $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response M2"; flow:established,to_client; content:"|30|"; startswith; content:"|04 0d|javaClassName"; fast_pattern; content:"|04|"; distance:2; within:1; byte_jump:1,0,relative; content:"|04 12|javaSerializedData"; within:25; content:"|ac ed|"; within:10; content:"|2e|exec"; distance:0; content:"FromCharCode"; nocase; distance:0; reference:url,ldap.com/ldapv3-wire-protocol-reference-ldap-result/; reference:url,ldap.com/ldapv3-wire-protocol-reference-search/; reference:cve,2021-44228; classtype:attempted-admin; sid:2034769; rev:2; metadata:created_at 2021_12_20, cve CVE_2021_44228, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_20;)