alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT Joomla RCE M3 (Serialized PHP in XFF)"; flow:established,to_server; http.header; content:"O|3a|"; fast_pattern; pcre:"/^X-Forwarded-For\x3a[^\r\n]*\bO\x3a\d+\x3a[^\r\n]*?\{[^\r\n]*?\}/mi"; reference:url,blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html; classtype:web-application-attack; sid:2022268; rev:4; metadata:created_at 2015_12_16, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_05;)