alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS XML External Entity Remote Code Execution"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"<?xml version=|22|1.0|22 20|encoding="; content:"<!DOCTYPE"; content:"<!ENTITY"; content:"SYSTEM |22|php|3a|//"; fast_pattern; reference:url,owasp.org/index.php/XML_External_Entity_(XXE)_Processing; classtype:attempted-user; sid:2025878; rev:3; metadata:attack_target Web_Server, created_at 2018_07_20, deployment Datacenter, performance_impact Low, signature_severity Major, updated_at 2020_08_25, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)