alert tcp any any -> $HOME_NET 40006 (msg:"ET EXPLOIT [401TRG] HPDM Backdoor Login"; flow:established,to_server; content:"user|00|dm_postgres|00|database|00|hpdmdb|00|"; fast_pattern; reference:url,twitter.com/nickstadb/status/1310853783765815297; classtype:attempted-admin; sid:2030961; rev:2; metadata:created_at 2020_10_02, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_02;)