alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Activity related to APT.Seinup Checkin 1"; flow:established,to_server; urilen:>87; http.method; content:"GET"; nocase; http.uri; content:".php?"; fast_pattern; pcre:"/\.php\?[a-zA-Z0-9]+?=[a-zA-Z0-9]+?&[a-zA-Z0-9]+?=(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})(&[a-zA-Z0-9]+?=[a-f0-9]{32}){2}$/"; http.header; content:"User-Agent|3a|"; depth:11; http.user_agent; content:"|20|MSIE 6.0|3b|"; content:".NET CLR 1.1.4322"; distance:0; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:url,fireeye.com/blog/technical/malware-research/2013/06/trojan-apt-seinup-hitting-asean.html; classtype:targeted-activity; sid:2017036; rev:7; metadata:created_at 2013_06_20, deprecation_reason Performance, performance_impact Significant, signature_severity Major, updated_at 2024_05_06;)