alert http any any -> $HOME_NET any (msg:"ET HUNTING SonicWall Email Security Unauthenticated Arbitrary User Creation (CVE-2021-20021) M1"; flow:established,to_server; http.uri; content:"/createou|3f|"; fast_pattern; startswith; content:"data|3d|"; http.method; content:"GET"; reference:url,cloud.google.com/blog/topics/threat-intelligence/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise; reference:cve,2021-20021; classtype:web-application-attack; sid:2064934; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_09_26, cve CVE_2021_20021, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_09_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)