alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET HUNTING XML External Entity Injection Inbound M3"; flow:established,to_client; http.response_body; content:"ENTITY"; pcre:"/^\x20*?(?:\x26\x23(?:x25|37)\x3b|\x25|\x26percnt\x3b)?\x20*?(?P<name>[a-zA-Z]+)\x20*?[A-Z]+\x20*?(?:[\x22\x27]|\x2bACI\x2d|\x26quot\x3b)[^\x22]*?(?:[\x22\x27]|\x2bACI|\x26quot\x3b).*?[\x25\x26](?P=name)/Rs"; classtype:unknown; sid:2066046; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_12_05, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Significant, confidence Medium, signature_severity Major, updated_at 2025_12_05; target:src_ip;)