alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC POST"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/write.php"; fast_pattern; http.accept_lang; content:"ko-kr"; startswith; http.request_body; content:"db="; startswith; content:"&ch="; distance:0; content:"&name="; distance:0; content:"&email="; distance:0; content:"&pw="; distance:0; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016051; rev:6; metadata:created_at 2012_12_18, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_20;)