alert http $EXTERNAL_NET any -> any any (msg:"ET EXPLOIT VMware VeloCloud Authorization Bypass (CVE-2019-5533)"; flow:established,to_server; http.request_body; content:"|7b 22|jsonrpc|22 3a 22|"; startswith; content:"/getEnterpriseUser|22|"; distance:0; fast_pattern; content:",|22|params|22 3a 7b 22|id|22 3a|"; distance:0; pcre:"/^(?P<num_value>\d+)\x7d,\x22id\x22\x3a(?P=num_value)/R"; http.method; content:"POST"; reference:cve,2019-5533; classtype:attempted-admin; sid:2028928; rev:1; metadata:created_at 2019_10_31, cve CVE_2019_5533, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2019_10_31;)