alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS TimThumb Remote Command Execution"; flow:established,to_server; http.uri; content:".php"; content:"webshot="; fast_pattern; content:"src="; content:"|24 28|"; pcre:"/[&?]src=https?[^&]+\x24\x28/"; reference:url,cxsecurity.com/issue/WLB-2014060134; classtype:attempted-user; sid:2018605; rev:4; metadata:created_at 2014_06_26, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_24;)