alert http any any -> $HOME_NET any (msg:"ATTACK [PTsecurity] GitStack Arbitrary PHP upload RCE (CVE-2018-5955)"; flow:established, to_server; content:"/web/index.php?"; http_uri; content:".git"; distance:0; http_uri; content:"Authorization:"; http_header; nocase; content:"Basic"; distance:0; http_header; nocase; pcre:"/Basic\s+/i"; base64_decode:offset 0, relative; base64_data; pcre:"/&\s/"; reference:url, blogs.securiteam.com/index.php/archives/3557; reference:cve, CVE-2018-5955; classtype:attempted-admin; reference:url, github.com/ptresearch/AttackDetection; sid:10002449; rev:2;)