alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET EXPLOIT NEC SL2100 - Session Enumeration Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/PyxisUaMenu.htm?sessionId="; startswith; pcre:"/^\d{3}/R"; content:"&MAINFRM|28|444,-1,591|29|"; distance:0; fast_pattern; threshold:type threshold, count 5, seconds 60, track by_dst; reference:url,www.exploit-db.com/exploits/48425; classtype:attempted-recon; sid:2030102; rev:2; metadata:attack_target Server, created_at 2020_05_05, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_05_05;)