alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request - User Creation (CVE-2023-46747)"; flow:established,to_server; app-layer-event:http.invalid_transfer_encoding_value_in_request; content:"|0d 0a 00 08|HTTP"; isdataat:!518,relative; content:"|00 12|/tmui/Control/form|00|"; nocase; distance:0; content:"form|5f|page|3d 25|2Ftmui|25|2Fsystem|25|2Fuser|25|2Fcreate|2e|jsp"; fast_pattern; distance:0; nocase; http.method; content:"POST"; http.uri; content:"/tmui/"; startswith; reference:url,my.f5.com/manage/s/article/K000137353; reference:url,www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/; reference:cve,2023-46747; classtype:attempted-admin; sid:2049058; rev:2; metadata:attack_target Networking_Equipment, created_at 2023_11_03, cve CVE_2023_46747, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_11_09, reviewed_at 2023_11_09; target:dest_ip;)