alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE CMDASP Webshell Default Title in HTTP Response"; flow:established,to_client; http.stat_code; content:"200"; http.server; content:"Microsoft-IIS/"; startswith; file.data; content:"|3c|title|3e|awen asp.net webshell|3c 2f|title|3e|"; fast_pattern; reference:url,github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx; classtype:trojan-activity; sid:2045284; rev:2; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2023_05_01, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, performance_impact Low, confidence High, signature_severity Major, tag WebShell, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_19; target:src_ip;)