alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET SCAN Asp-Audit Web Scan Detected"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"STYLE=x|3a|e/**/xpression(alert('asp-audit'))>"; reference:url,www.hacker-soft.net/Soft/Soft_2895.htm; reference:url,wiki.remote-exploit.org/backtrack/wiki/asp-audit; classtype:attempted-recon; sid:2009479; rev:12; metadata:created_at 2010_07_30, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_14;)