alert http any any -> any any (msg:"ATTACK [PTsecurity] GitStack Arbitrary PHP upload RCE (CVE-2018-5955)"; flow:established, to_server; content:"/web/index.php?"; http_uri; content:".git"; distance:0; http_uri; content:"Authorization:"; http_header; nocase; content:"Basic"; distance:0; http_header; nocase; pcre:"/Basic\s+/i"; base64_decode:offset 0, relative; base64_data; pcre:"/&\s/"; reference:url, blogs.securiteam.com/index.php/archives/3557; reference:cve, 2018-5955; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10002449; rev:4;)