alert tcp any any -> $HOME_NET any (msg:"ET HUNTING SQL Database Version Discovery"; flow:established,to_server; content:"select"; nocase; content:"version"; fast_pattern; distance:0; pcre:"/(?:[sS][eE][lL][eE][cC][tT]|[fF][rR][oO][mM])(?:\s|\x2520|[\x2b\x7c])+(?:v\x24(?:version|instance)|\x40{2}version|version\x28\x29)/"; reference:url,portswigger.net/web-security/sql-injection/cheat-sheet; classtype:misc-activity; sid:2062928; rev:2; metadata:attack_target Server, created_at 2025_06_13, deployment Perimeter, deployment Internal, performance_impact Significant, confidence High, signature_severity Informational, updated_at 2025_10_09; target:dest_ip;)