alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER MorXploit Shell Command"; flow:established,to_server; http.uri; content:"?cmd=ZXhpdA=="; fast_pattern; http.user_agent; content:"Mozilla 5"; startswith; reference:url,seclists.org/fulldisclosure/2014/Nov/78; classtype:bad-unknown; sid:2019951; rev:3; metadata:created_at 2014_12_16, signature_severity Major, updated_at 2020_05_14;)