alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"verint="; content:"&uid="; distance:0; content:"&wv="; distance:0; content:"&report="; distance:0; content:"&abbr="; distance:0; content:"&pid="; distance:0; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d/"; reference:md5,d9bcb4e4d650a6ed4402fab8f9ef1387; classtype:trojan-activity; sid:2010247; rev:7; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2020_04_21;)