alert http $EXTERNAL_NET any -> $HOME_NET 2375 (msg:"ATTACK Inbound Docker Engine API exec/start from external source"; \
flow:to_server,established; \
http.method; content:"POST"; \
http.uri; content:"/exec/"; content:"/start"; distance:0; \
classtype:attempted-admin; priority:2; sid:1000231002; rev:3; \
metadata:created_at 2026-05-28;)Ingress · TCP/2375 · SID 1000231002
Fires on inbound Docker exec/start from an external source. Same two-tier split as the create rules: external is medium, internal is info.