alert http any any -> any any (msg:"ATTACK [PTsecurity] vBulletin 5.x pre-auth RCE"; flow:established, to_server; content:"POST"; http_method; content:"routestring"; http_client_body; content:"widget_php"; within:30; http_client_body; pcre:"/ajax.{1,6}render.{1,6}widget_php/P"; pcre:"/widgetConfig.{1,6}code/P"; reference:url, seclists.org/fulldisclosure/2019/Sep/31; reference:url, github.com/ptresearch/AttackDetection; classtype:attempted-admin; sid:10005417; rev:1;)