alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Generic Webshell Activity (Response)"; flow:established,to_client; file.data; content:"<body><title>FILE MANAGER v.1.0</title>"; content:"<h1>Green Dinosaur</h1>"; fast_pattern; content:"|61 63 74 69 6f 6e 3d 27 3f 66 70 61 74 68 3d|"; distance:0; reference:md5,9cdda333432f403b408b9fe717163861; classtype:web-application-attack; sid:2044914; rev:1; metadata:attack_target Web_Server, created_at 2023_04_10, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_10; target:src_ip;)