alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Invalid/Suspicious User-Agent (PHP)"; flow:to_server,established; http.user_agent; content:"PHP/5."; nocase; fast_pattern; startswith; pcre:"/^\{\d(?:\|\d){1,}\}\.\{\d(?:\|\d){1,}\}\{\d(?:\|\d){1,}\}/R"; classtype:web-application-attack; sid:2022350; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2016_01_12, deployment Perimeter, confidence High, signature_severity Major, tag User_Agent, updated_at 2020_06_17;)