alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Vanguard v2.1 (Search) POST Inject Web Vulnerability"; flow:established,to_server; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; http.request_body; content:"phps_query|3d 22 3e 25 32 30 3c|iframe src="; startswith; fast_pattern; content:"onload="; distance:0; content:"|29 3e 26|phps_search|3d 3b 29|"; endswith; reference:url,exploit-db.com/exploits/50491; classtype:attempted-admin; sid:2034354; rev:2; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2021_11_05, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_07;)