The rule for detecting the WIREFIRE Web Shell focuses on identifying malicious POST requests that may indicate the presence of a web shell on a server. WIREFIRE is specifically noted for being a Python-written web shell commonly associated with compromising the Ivanti Connect Secure appliance. This rule inspects web logs for specific patterns suggesting irregular usage of .py files or specific API endpoints that are often exploited by attackers. It monitors the total bytes sent and ensures that certain HTTP methods (POST and PUT) respond with a status of 200 to qualify the request as a potential threat. Alerts are triggered when there’s significant data output (bytes_out > 500) during these matches, indicating possible command execution or file downloads—common functions of web shells.