alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FAKE AV HTTP CnC Post"; flow:established,to_server; http.method; content:"POST"; nocase; http.user_agent; content:"Mozilla/3.0 (compatible|3b 20|TALWinInetHTTPClient)"; depth:46; http.request_body; content:"action="; nocase; content:"uid="; nocase; content:"cnt="; nocase; content:"lng="; nocase; content:"type="; nocase; content:"user_id="; nocase; content:"pc_id="; nocase; content:"abbr="; nocase; classtype:command-and-control; sid:2009455; rev:9; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2020_10_14;)