alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible ModSecurity 3.0.0 Cross-Site Scripting"; flow:established,from_server; file_data; content:"onError"; content:"prompt"; fast_pattern; content:"img"; pcre:"/^\s*((?!>).)+?\s*src\s*=\s*[\x22\x27]\s*[^\x27\x28]+?[\x22\x27]\s*onError\s*=\s*prompt\s*\x28\s*[^)]*?(?:document|s(?:cript|tyle\x3D)|on(?:mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Rsi"; reference:cve,2018-13065; reference:url,exploit-db.com/exploits/44970/; classtype:attempted-user; sid:2025781; rev:3; metadata:attack_target Client_Endpoint, created_at 2018_07_03, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Critical, updated_at 2019_07_26;)