alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB_SPECIFIC Possible XOOPS User.php Cross Site Scripting Attack"; flow:to_server,established; uricontent:"/modules/profile/user.php"; nocase; uricontent:"