alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER PHP WebShell Embedded In JPG (OUTBOUND)"; flow:established,to_client; file_data; content:"JFIF|00|"; distance:6; within:5; content:"<?php"; fast_pattern; distance:0; reference:url,blog.spiderlabs.com/2013/10/hiding-webshell-backdoor-code-in-image-files.html; classtype:successful-admin; sid:2017605; rev:2; metadata:created_at 2013_10_17, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)