alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT PHP-Live-Chat Get Shell Attempt Inbound"; flow:established,to_server; urilen:35; http.method; content:"POST"; http.uri; content:"|2f|php|2f|app|2e|php|3f|mobile|2d|operator|2d|create"; http.request_body; content:"roles=OPERATOR&name="; startswith; fast_pattern; content:"&mail="; content:"&password="; reference:url,github.com/wy876/POC/tree/main; classtype:attempted-admin; sid:2053401; rev:1; metadata:affected_product Web_Server_Applications, attack_target Server, tls_state plaintext, created_at 2024_06_10, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_06_10;)