alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED WMF Escape Record Exploit - Version 3"; flow:established; flowbits:isset,emerging_wmf_expl; pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,emerging_wmf_http; flowbits:unset,emerging_wmf_expl; flowbits:unset,emerging_wmf_expl_v1; threshold:type limit, track by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086; classtype:attempted-user; sid:2002742; rev:10; metadata:created_at 2010_07_30, signature_severity Unknown, updated_at 2019_07_26;)