alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Link getcfg Information Disclosure Attempt (CVE-2019-17506)"; flow:established,to_server; http.request_line; content:"GET /getcfg.php?"; startswith; http.request_body; content:"SERVICES|3d|DEVICE.ACCOUNT"; startswith; fast_pattern; content:"|25|0AAUTHORIZED_GROUP"; pcre:"/^(?:\x3d|\x253[Dd])1/R"; reference:cve,2019-17506; reference:url,github.com/PeiQi0/PeiQi-WIKI-Book/tree/main/docs/wiki/iot; classtype:attempted-admin; sid:2063278; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_02, cve CVE_2019_17506, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_02, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)