alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET INFO Lucy Security - Admin Panel Accessed on Internal Server"; flow:established,to_client; file_data; content:"|20|system|2e|csrf|20 3d 20 22|"; content:"|22 3b 0a 20|"; distance:40; within:4; content:"|20|system|2e|baseUrl|20 3d 20 22|"; within:100; content:"|20|system|2e|uploadScnPDFUrl|20 3d 20 22|"; fast_pattern; within:2000; content:"|20|system|2e|uploadScnTplPDFUrl|20 3d 20 22|"; within:200; content:"|20|system|2e|appName|20 3d 20 22|"; within:200; reference:url,lucysecurity.com/; classtype:bad-unknown; sid:2030992; rev:3; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2020_10_09, deployment Perimeter, malware_family Lucy, performance_impact Low, confidence High, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_26;)