alert http $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER DEWMODE Webshell Observed Outbound"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:".php?csrftoken="; content:"|22|><font|20|size=4>Cleanup|20|Shell</font>"; fast_pattern; content:"file_id"; content:"path"; content:"file_name"; content:"uploaded_by"; content:"Recipient"; content:"Actions"; reference:url,www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html; reference:md5,2798c0e836b907e8224520e7e6e4bb42; reference:md5,bdfd11b1b092b7c61ce5f02ffc5ad55a; classtype:attempted-admin; sid:2031650; rev:1; metadata:attack_target Web_Server, created_at 2021_02_23, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_02_23;)