alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Tatanga/Win32.Kexject.A Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.header_names; content:!"User-Agent|0d 0a|"; http.request_body; content:"|CE FA AD DE 03 00|"; depth:6; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; classtype:command-and-control; sid:2013819; rev:5; metadata:created_at 2011_11_02, confidence Medium, signature_severity Major, updated_at 2020_04_22;)