Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Generic WSO Webshell Accessed on External Compromised Server"; flow:established,to_client; file.data; content:"<span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span></td><td><nobr>"; nocase; fast_pattern; content:"<span>Group:</span>"; nocase; distance:0; content:"<span>Safe mode:</span>"; nocase; distance:0; content:"<span>Datetime:</span>"; nocase; distance:0; content:"<span>Free:</span>"; nocase; distance:0; content:"<span>Server IP:</span>"; nocase; distance:0; content:"<span>Client IP:</span>"; nocase; distance:0; content:">Self remove</a>"; nocase; distance:0; content:"<h1>File manager</h1>"; nocase; distance:0; classtype:web-application-attack; sid:2029873; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, confidence Medium, signature_severity Major, updated_at 2020_04_10;)