alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Briba CnC POST Beacon"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/index"; depth:6; content:".asp"; distance:9; within:4; http.header; content:"Content-Length|3a 20|00"; fast_pattern; http.user_agent; content:"|20|MSIE|20|"; http.host; content:"update.microsoft.com"; startswith; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/05/ready-for-summer-the-sunshop-campaign.html; reference:url,citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=PWS%3AWin32%2FBriba.A; classtype:command-and-control; sid:2016911; rev:5; metadata:attack_target Client_Endpoint, created_at 2013_05_22, deployment Perimeter, signature_severity Major, tag c2, updated_at 2020_09_18, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)