alert http any any -> $HOME_NET any (msg:"ET HUNTING PHP Serialize Object Injection M4"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; fast_pattern; http.header_names; content:"|0d 0a|Cookie|0d 0a|"; content:!"Referer|0d 0a|"; http.request_body; pcre:"/[a-z]%3a(?:%2b)?\d+%3a(?:[a-z]?%3a\d+(?:%3a)?(?:%7b)?|%22.+%22|%3b|%7d)+/i"; classtype:web-application-attack; sid:2062298; rev:1; metadata:attack_target Web_Server, created_at 2025_05_13, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Major, updated_at 2025_05_13; target:dest_ip;)