alert ssh $HOME_NET any -> any any (msg:"ET INFO Potentially Vulnerable Erlang/OTP SSH Server Banner (CVE-2025-32433)"; flow:established,to_client; flowbits:set,ET.ErlangOTPBanner; ssh.software; content:"Erlang/"; pcre:"/^(?:(?:4\x2e(?:[0-9]|1[0-5])\x2e[0-3]\x2e(?:[0-9]|1[0-1]))|(?:5\x2e2\x2e(?:[0-9]))|(?:5\x2e1\x2e[0-4]\x2e[0-7]))/R"; reference:url,www.runzero.com/blog/erlang-otp-ssh/; reference:cve,2025-32433; classtype:misc-activity; sid:2061790; rev:3; metadata:affected_product Erlang_OTP, attack_target Server, tls_state plaintext, created_at 2025_04_22, cve CVE_2025_32433, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Informational, tag Exploit, updated_at 2025_06_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:src_ip;)