alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Wordpress PingBack Possible GHOST attempt"; flow:established,to_server; http.uri; content:"/xmlrpc.php"; nocase; http.request_body; content:"pingback.ping"; nocase; fast_pattern; content:"<string>"; pcre:"/^\s*?https?\x3a\/\//Rs"; isdataat:1024,relative; content:!"|2f|"; within:1024; content:!"</string>"; within:1033; pcre:"/^\d[\d\x2e]{255}/R"; classtype:web-application-attack; sid:2020327; rev:8; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_01_28, deployment Datacenter, confidence Medium, signature_severity Major, tag Wordpress, updated_at 2020_09_29;)