alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT FireEye Appliance Unauthorized File Disclosure"; flow:established,to_server; http.uri; content:"/NEI_ModuleDispatch.php"; content:"module=NEI_AdvancedConfig"; distance:0; content:"&function=HapiGetFileContents"; fast_pattern; distance:0; http.uri.raw; pcre:"/(?:%2(?:52e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/))|e(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))|\.(?:%2(?:52e(?:%(?:(?:25)?2|c0%a)f|\/)|e(?:%(?:(?:25)?2|c0%a)f|\/))|\.(?:%(?:(?:25)?2|c0%a)f|\/)))/i"; reference:url,www.exploit-db.com/exploits/38090/; classtype:trojan-activity; sid:2021756; rev:4; metadata:created_at 2015_09_10, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_06_01;)