alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE IIS-Raid Module Backdoor - INJ Command in HTTP Request"; flow:established,to_server; flowbits:set,ET.IIS-Raid.INJ; http.header; content:"|3a 20|INJ|7c|"; fast_pattern; content:!"|0d 0a|"; within:2; reference:url,github.com/0x09AL/IIS-Raid; classtype:trojan-activity; sid:2046176; rev:1; metadata:attack_target Web_Server, created_at 2023_06_09, deployment Perimeter, deployment Internal, deployment SSLDecrypt, malware_family IIS_Raid, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_06_09; target:dest_ip;)