alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Redyms.A Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; content:".php"; offset:6; depth:7; http.header; content:".net|0d 0a|Content-Length|3a 20|128|0d 0a|"; fast_pattern; http.start; pcre:"/^POST \/(?P<filep>[a-z]{5,8})\.php HTTP.+?\r\nHost\x3a\x20(?P=filep)[a-z]+?\.net\r\n/s"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|Cache-Control|0d 0a 0d 0a|"; depth:53; endswith; classtype:command-and-control; sid:2016759; rev:4; metadata:created_at 2013_04_16, malware_family Win32_Redyms_A, signature_severity Major, updated_at 2020_11_05;)