alert http [$HOME_NET,$HTTP_SERVERS] any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE FightAgent WebShell Response Outbound"; flow:established,to_client; http.response_body; content:"|24|malsite"; fast_pattern; content:"|24|dbname|20 3d 20 24 5f|GET|5b 27|dbname|27 5d 3b|"; content:"|24|dbserver|20 3d 20 24 5f|COOKIE|5b 22|dbserver|22 5d 3b|"; content:"|24|dbuser|20 3d 20 24 5f|COOKIE|5b 22|dbuser|22 5d 3b|"; content:"|24|dbpass|20 3d 20 24 5f|COOKIE|5b 22|dbpass|22 5d 3b|"; content:"|22|Dump|2d 24|dbname|2d 24|date|22 3b|"; classtype:attempted-admin; sid:2046242; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_06_13, deployment Perimeter, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_13;)