alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/ProxyChanger.InfoStealer Checkin"; flow:established,to_server; http.method; content:"POST"; nocase; http.uri; content:"/abc.php"; fast_pattern; http.user_agent; content:"Mozilla/3.0|20 28|compatible|3B 20|Indy Library|29|"; startswith; http.request_body; content:"ABC="; startswith; content:"&XRE="; within:30; reference:md5,67c9799940dce6b9af2e6f98f52afdf7; classtype:command-and-control; sid:2014356; rev:6; metadata:created_at 2012_03_09, signature_severity Major, updated_at 2024_02_22;)