alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Ping Identity Landing Page 2022-03-14"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"<!-- template name: html.form.login.template.html -->"; content:"<!-- Configurable default behavior for the Remember Username checkbox -->"; content:"<!-- set the checkbox to unchecked -->"; content:"<title>Log in</title>"; content:"|24 2e|ajax"; content:"type|20 3a 20 27|POST|27 2c|"; content:"url|20 3a 20 27|files|2f|action|2e|php|3f|type|3d|login|27 2c|"; content:"data|20 3a 20 24 28 27 23|loginForm|27 29 2e|serialize|28 29 2c|"; content:"location|2e|href|20 3d 20 22|Loading|2e|php|22|"; content:"Ping Identity Corporation"; reference:md5,391dd3f15f5520a3bbfc654dbb3a4ac6; classtype:credential-theft; sid:2035454; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_14, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_14;)