alert http $HOME_NET any -> $HOME_NET 2375 (msg:"POLICY Inbound Docker Engine API exec/start from internal source"; \
flow:to_server,established; \
http.method; content:"POST"; \
http.uri; content:"/exec/"; content:"/start"; distance:0; \
classtype:policy-violation; priority:4; sid:1000231012; rev:1; \
metadata:created_at 2026-05-28;)Ingress · TCP/2375 · SID 1000231012
Info-tier companion to 1000231002 for internal-sourced exec/start. Suppress for known management IPs.