alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Simple JSP WebShell Landing Page"; flow:established,to_client; http.response_body; content:"|3c|HTML|3e 3c|BODY|3e|"; content:"Commands with JSP"; within:20; reference:md5,5b739059ebb590df7bc7ed33c8d62531; reference:url,www.cisa.gov/sites/default/files/publications/MAR-10410305.r1.v1.CLEAR_0.pdf; classtype:attempted-user; sid:2049405; rev:1; metadata:attack_target Server, created_at 2023_11_30, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag WebShell, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_11_30, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:src_ip;)