detection rulesuricata

ATTACK dockerpwn persistence script delivery in HTTP request body

First seen: 2026-06-16
Last seen: 2026-06-16
Used in: 1 post

SuricataATTACK dockerpwn persistence script delivery in HTTP request body

alert http any any -> $HOME_NET any (msg:"ATTACK dockerpwn persistence script delivery in HTTP request body"; \
  flow:to_server,established; \
  http.method; content:"POST"; \
  http.request_body; content:"dockerpwn"; nocase; \
  classtype:attempted-admin; sid:1000231005; rev:1; \
  metadata:created_at 2026-05-28;)

Posts using this rule

highSelf-Blocking Docker API Abuse Delivers the VoidLink DDoS-for-Hire Botnet
Ingress · any port · SID 1000231005
Fires on any request body carrying the deployed-script signature string, regardless of port. Useful when the operator switches transport (TCP/2376, reverse-proxy, etc.).
2026-06-10