alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Possible NGINX Reference LDAP Query Injection Attack"; flow:established,to_server; http.header; content:"|0d 0a|X-Ldap-Template|3a 20|"; fast_pattern; nocase; content:"|28 7c|"; distance:0; within:5; http.header_names; content:!"Referer|0d 0a|"; reference:url,github.com/nginxinc/nginx-ldap-auth/issues/93; classtype:attempted-admin; sid:2035897; rev:2; metadata:attack_target Web_Server, created_at 2022_04_12, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_04_12, reviewed_at 2023_09_01;)