alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Software Update system.run() and sh attempt"; flow:to_client,established; content:"system.run("; nocase; content:!")"; within:15; distance:0; content:"sh"; nocase; within:15; distance:0; pcre:!"/[a-z0-9]system\.run\(/i"; reference:cve,2007-5863; classtype:web-application-activity; sid:92528; rev:1;)