alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS phpMyAdmin setup.php Remote File inclusion Attempt (CVE-2010-3055)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/setup.php"; nocase; http.request_body; content:"action="; nocase; content:"&configuration="; distance:0; content:"PMA"; distance:0; content:"Config"; within:11; pcre:"/source(?:\x22\x3b\w\x3a|%22%3b\w%3a)\d+(?:\x3a\x22|%3a%22)(?:(?:ftps?|%66%74%70(?:%73)?)|(?:https?|%68%74%74%70(?:%73)?)|(?:php|%70%68%70))(?:\x3a|%3A)(?:\x2f|%2f)/Ri"; reference:url,blog.spiderlabs.com/2012/04/honeypot-alert-phpmyadmin-setupphp-rfi-attacks-detected.html; reference:url,phpmyadmin.net/home_page/security/PMASA-2010-4.php; reference:cve,CVE-2010-3055; classtype:web-application-attack; sid:2014633; rev:6; metadata:created_at 2012_04_23, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)