alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /etc/passwd access"; content:"/etc/passwd"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000004; program: bash|-bash|sh|-sh; sid:5000004; rev:4;)
-- Main.Sagan-Wiki-Add - 2015-10-21
New revisions of 5000004 will be below...
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[BASH] /etc/passwd access"; content:"/etc/passwd"; content:"HISTORY"; classtype: suspicious-command; reference: url,wiki.quadrantsec.com/bin/view/Main/5000004; program: bash|-bash|sh|-sh; sid:5000004; rev:5;)
-- Main.Sagan-Wiki-Add - 2021-4-12