alert http any any -> $HOME_NET any (msg:"ET EXPLOIT Shenzhen TVT DVR/NVR/IPC WebUI RCE ADD Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editBlackAndWhiteList"; bsize:22; http.request_body; content:"clientType|3d 22|WEB|22 3e|"; content:"|3c|addressType|3e|ip|3c 2f|addressType|3e 3c|ip|3e|"; distance:0; fast_pattern; pcre:"/^(?:[\x60\x3b\x7c]|%60|%3b|%7c|%26|(?:[\x3c\x3e\x24]|%3c|%3e|%24)(?:\x28|%28))/R"; reference:url,github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt; classtype:attempted-admin; sid:2036253; rev:2; metadata:created_at 2022_04_19, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_04_19;)