detection rulesuricata

ATTACK 'Polly for Sonya' Cyrillic-language Docker pwn tooling marker

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

SuricataATTACK 'Polly for Sonya' Cyrillic-language Docker pwn tooling marker

alert http any any -> $HOME_NET any (msg:"ATTACK 'Polly for Sonya' Cyrillic-language Docker pwn tooling marker"; \
  flow:to_server,established; \
  http.method; content:"POST"; \
  http.request_body; content:"by Polly for"; \
  classtype:attempted-admin; sid:1000231006; rev:1; \
  metadata:created_at 2026-05-28;)

Posts using this rule

highSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Ingress · any port · SID 1000231006
A tighter, lower-volume signature for the exact tooling observed here: the `by Polly for` attribution byline in a request body.
2026-06-10