alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic WSO Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:"<span>Uname:<br>User:<br>Php:<br>Hdd:<br>Cwd:</span></td><td><nobr>"; nocase; fast_pattern; content:"<span>Group:</span>"; nocase; distance:0; content:"<span>Safe mode:</span>"; nocase; distance:0; content:"<span>Datetime:</span>"; nocase; distance:0; content:"<span>Free:</span>"; nocase; distance:0; content:"<span>Server IP:</span>"; nocase; distance:0; content:"<span>Client IP:</span>"; nocase; distance:0; content:">Self remove</a>"; nocase; distance:0; content:"<h1>File manager</h1>"; nocase; distance:0; classtype:web-application-attack; sid:2029874; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_04_10, deployment Perimeter, confidence Medium, signature_severity Critical, updated_at 2020_04_10;)