alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Totolink cstecgi.cgi langType Parameter Buffer Overflow Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:20; content:"/cgi-bin/cstecgi.cgi"; http.request_body; content:"|22|topicurl|22 3a|"; content:"|22|setLanguageCfg|22|"; within:30; fast_pattern; content:"|22|langType|22 3a|"; pcre:"/^(?:\x20\x22|\x22)^[^\x22\x7d$]{100,}(?:\x22|\x7d|$)/R"; reference:url,kn0sinna.notion.site/TOTOLINK-EX1200T-stack-based-BufferOverflow-vulnerability-204b1876cd6e80709ce8dab4778dce55; classtype:web-application-attack; sid:2062746; rev:1; metadata:affected_product TOTOLINK, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_06_04, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_06_04, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)