alert tcp any any -> any any (msg:"Potential exploit attempt to CVE-2020-1938 (Servlet include attempt)"; sid:10003;flow:to_server,established;content:"|02 02|";offset:4;depth:2;content:"HTTP";nocase;distance:0;within:10;content:"|6a617661782e736572766c65742e696e636c7564652e726571756573745f757269|";content:"|6a617661782e736572766c65742e696e636c7564652e706174685f696e666f|";content:"|6a617661782e736572766c65742e696e636c7564652e736572766c65745f70617468|";reference:url,https://www.chaitin.cn/en/ghostcat;)