alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 80 (msg:"Metasploit ContentKeeper Web remote code exec recon connection"; xbits:noalert; xbits:set,Metasploit.ContentKeeper.recon, track ip_pair, expire 30; flow:established,to_server; content:"/cgi-bin/ck/mimencode"; http_uri; sid:201300021; rev:1;) alert tcp $HOME_NET 80 -> $EXTERNAL_NET 1024: (msg:"Metasploit ContentKeeper Web remote code exec recon status vulnerable"; xbits:noalert; xbits:isset,Metasploit.ContentKeeper.recon; xbits:set,Metasploit.ContentKeeper.recon_status_is_vuln, track ip_pair, expire 30; flow:established,to_client; content:"500 internal"; sid:201300022; rev:1;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 80 (msg:"Metasploit ContentKeeper Web remote code exec base64 encoded payload uploaded"; xbits:noalert; xbits:isset,Metasploit.ContentKeeper.recon_status_is_vuln; xbits:set,Metasploit.ContentKeeper.payload_uploaded, track ip_pair, expire 30; flow:established,to_server; content:"u|2b 2d|o|2b|"; http_uri; content:"IyEvdXNyL2Jpbi9wZXJsCnByaW50ICJDb250ZW50LXR5cGU6IHRleHQvaHRtbF"; sid:201300023; rev:1;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 80 (msg:"Metasploit ContentKeeper Web remote code exec"; xbits:isset,Metasploit.ContentKeeper.payload_uploaded; flow:established,to_server; content:"/cgi-bin/ck/"; http_uri; sid:201300024; rev:1;)