alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Attempted Symantec Secure Web Gateway RCE"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/spywall/timeConfig.php"; bsize:23; fast_pattern; http.user_agent; content:"XTC"; http.request_body; content:"posttime="; content:"&saveForm="; content:"&timesync="; content:"&ntpserver="; content:"wget"; content:"/tmp/viktor|29 3b|"; content:"timezone="; reference:url,unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/; classtype:attempted-user; sid:2030193; rev:1; metadata:attack_target Web_Server, created_at 2020_05_19, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_19;)