alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Jembot PHP Webshell (system command)"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:".php"; nocase; content:"empix="; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:3; metadata:created_at 2012_04_18, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_22;)