alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Nymaim Checkin M2"; flow:to_server,established; http.method; content:"POST"; http.content_type; content:"application/x-www-form-urlencoded"; nocase; bsize:33; http.user_agent; content:"|20|MSIE|20|"; http.request_body; content:"filename="; depth:9; fast_pattern; content:"&data="; distance:0; pcre:"/^filename=[a-z]+?\.[a-z]+?&data=/"; http.header_names; content:!"Referer"; classtype:command-and-control; sid:2016757; rev:11; metadata:created_at 2013_04_16, signature_severity Major, updated_at 2022_10_20;)