alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Equation Group EGREGIOUSBLUNDER Fortigate Exploit Attempt"; flow:established,to_server; urilen:6; http.method; content:"POST"; http.uri; content:"/index"; http.start; content:"APSCOOKIE=Era=0&Payload="; fast_pattern; pcre:"/^[A-Za-z0-9+\x2f]{0,4}?[^\x20-\x7e]/R"; http.header_names; content:"|0d 0a|Host|0d 0a|Content-length|0d 0a|"; depth:24; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; classtype:attempted-admin; sid:2023075; rev:5; metadata:affected_product Fortigate, attack_target Server, created_at 2016_08_17, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2025_07_08;)