alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SHELLCODE Possible Unescape Encoded Content With Split String Obfuscation"; flow:established,to_client; content:"unescape|28 22|"; content:!"|29|"; within:100; content:"|22| +|0a|"; within:80; content:"|22| +|0a|"; within:80; content:"|22| "; within:80; content:"|22| +|0a|"; within:80; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:shellcode-detect; sid:2012196; rev:5; metadata:created_at 2011_01_17, performance_impact Significant, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_09;)