alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request (CVE-2023-46747)"; flow:established,to_server; app-layer-event:http.invalid_transfer_encoding_value_in_request; content:"|0d 0a 00 08|HTTP"; isdataat:!518,relative; content:"/tmui/"; nocase; distance:0; http.method; content:"POST"; http.uri; content:"/tmui/"; startswith; fast_pattern; reference:url,my.f5.com/manage/s/article/K000137353; reference:url,www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/; reference:cve,2023-46747; classtype:attempted-admin; sid:2049057; rev:4; metadata:attack_target Networking_Equipment, created_at 2023_11_03, cve CVE_2023_46747, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_01_31, reviewed_at 2023_11_09; target:dest_ip;)