alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT eMerge E3 Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/card_scan"; startswith; fast_pattern; content:".php"; distance:0; within:15; content:"=|60|"; reference:cve,2019-7256; classtype:attempted-admin; sid:2033757; rev:1; metadata:created_at 2021_08_22, cve CVE_2019_7256, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_08_22, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)