alert tcp-pkt $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET PHISHING Generic Credential Phish Landing Page 2023-03-21"; flow:established,to_server; content:"method|00 00 00|"; content:"POST"; within:5; content:"path|00 00 00|"; content:"/gh05t/"; within:8; fast_pattern; content:".php|00 00 00|"; content:"ai="; content:"&pr="; reference:url,twitter.com/doc_guard/status/1637932033765769220; classtype:credential-theft; sid:2044713; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_03_21, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_21;)