Rule History

alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Compromised Internal Server"; flow:established,to_client; file.data; content:"Upload File : <input type=|22|file|22 20|name=|22|file|22|"; fast_pattern; nocase; content:">Name</center></td>"; nocase; distance:0; content:">Size</center></td>"; nocase; distance:0; content:">Permissions</center></td>"; nocase; distance:0; content:">Options</center></td>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option>"; nocase; distance:0; content:"<option value=|22|chmod|22|>Chmod</option>"; nocase; distance:0; content:"<option value=|22|rename|22|>Rename</option>"; nocase; distance:0; content:"<form method=|22|POST|22 20|action=|22|?option&path="; nocase; distance:0; classtype:web-application-attack; sid:2030020; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_24, deployment Perimeter, confidence Medium, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_24;)