alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Linux/MayhemBruter Inbound Ping From CnC"; flow:established,to_server; http.uri; content:"/wp-content/plugins/"; content:"/libso"; distance:0; pcre:"/\/libso\d{1,4}\.php\?id=[a-zA-Z0-9]+$/"; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3405&p=27363; classtype:command-and-control; sid:2022224; rev:3; metadata:created_at 2015_12_07, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_06_09;)