alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Accessed on Internal Compromised Server"; flow:established,to_client; file.data; content:".github.io/PHP-Backdoor/"; nocase; fast_pattern; content:"<h3><center>Linux|20|"; nocase; distance:0; content:"<input type=|22|submit|22 20|value=|22|Upload|22 20|/></form>"; nocase; distance:0; content:"<option value=|22|delete|22|>Delete</option><option value=|22|rename|22|>Rename</option></select><input type=|22|hidden|22 20|name=|22|type|22 20|value=|22|dir|22|><input type=|22|hidden|22 20|name=|22|name|22 20|value=|22|chase|22|>"; nocase; distance:0; classtype:web-application-attack; sid:2030911; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_09_28, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_28;)