alert http any any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER ATTACKER WebShell - Weevely - Cookie"; flow:established,to_server; http.header; content:"ing|3a| identity|0D 0A|Host|3a|"; http.cookie; content:"SESS="; content:"|3B| SID="; distance:0; content:"|3B| PREF="; distance:0; content:"|3B|SSID="; distance:0; classtype:trojan-activity; sid:2020557; rev:3; metadata:created_at 2015_02_24, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_15;)