alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER ASPXSPY Webshell Login Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".aspx"; endswith; http.request_body; content:"|5f 5f|EVENTTARGET|3d 26 5f 5f|FILE|3d|"; startswith; content:"HRJ|3d|"; content:"|26|ZSnXu=Login"; fast_pattern; endswith; reference:md5,2ef7bb0d9763cf38977182d65173d1b0; classtype:trojan-activity; sid:2046744; rev:1; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2023_07_06, deployment Perimeter, deployment Internal, deployment SSLDecrypt, malware_family ASPXSPY, performance_impact Low, confidence High, signature_severity Major, tag WebShell, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_07_06; target:dest_ip;)