alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER PHP.//Input in HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri.raw; content:"php|3a 2f 2f|input"; fast_pattern; http.request_body; content:"<?"; depth:2; reference:url,www.deependresearch.org/2014/07/another-linux-ddos-bot-via-cve-2012-1823.html; classtype:trojan-activity; sid:2019804; rev:4; metadata:created_at 2014_11_25, signature_severity Major, updated_at 2020_05_13;)