alert http any any -> $HOME_NET any (msg:"ET MALWARE PHASEJAM Web Shell Activity Observed M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dana-na/auth/restAuth.cgi?"; fast_pattern; startswith; pcre:"/^.*?\w+\x3d[1-5][\x26\s]/R"; reference:url,cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-day; classtype:trojan-activity; sid:2059097; rev:2; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_01_09, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag WebShell, updated_at 2026_05_07, mitre_tactic_id TA0003, mitre_tactic_name Persistence, mitre_technique_id T1505, mitre_technique_name Server_Software_Component; target:dest_ip;)