alert http any any -> $HOME_NET any (msg:"ET EXPLOIT D-Link DIR-X4860 RCE Attempt Inbound"; flow:established,to_server; http.request_body; content:"<soap|3a|"; content:"<SetVirtualServer"; fast_pattern; content:"<LocalIPAddress>"; pcre:"/^[^<]+\x3b/R"; http.header_names; content:"|0d 0a|HNAP_AUTH|0d 0a|"; classtype:attempted-admin; sid:2052820; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, created_at 2024_05_22, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_05_22;)