alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Lexmark Malicious File Upload Detected"; flow:established,to_server; http.method; content:"POST"; bsize:4; http.uri; content:"/webglue/uploadfile/ImportFaxLogo"; bsize:33; fast_pattern; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name="; nocase; content:"filename="; nocase; within:255; pcre:"/(?:[\x7e\x60\x24\x26\x2a\x7c\x3b\x27\x22\x3c\x3e\x3f\x21])/Ri"; reference:url,github.com/blasty/lexmark; classtype:trojan-activity; sid:2044002; rev:1; metadata:affected_product IoT, attack_target IoT, created_at 2023_01_26, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_06;)