alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET WEB_SPECIFIC_APPS Zimbra XSS via momoveto"; flow:established,to_server; http.uri; content:"/m/momoveto"; fast_pattern; content:"st="; distance:0; content:"|22 3e 3c|"; distance:0; reference:url,blog.zimbra.com/2023/07/security-update-for-zimbra-collaboration-suite-version-8-8-15/; reference:url,twitter.com/_JohnHammond/status/1679606263162994689/; classtype:attempted-admin; sid:2046829; rev:1; metadata:attack_target Web_Server, created_at 2023_07_18, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2023_07_18; target:dest_ip;)