alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER PHP tags in HTTP POST"; flow:established,to_server; http.method; content:"POST"; nocase; http.request_body; content:"<?php"; nocase; fast_pattern; reference:url,isc.sans.edu/diary.html?storyid=9478; classtype:web-application-attack; sid:2011768; rev:8; metadata:created_at 2010_09_28, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_18;)