alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Drive DDoS Check-in"; flow:established,to_server; flowbits:set,ET.Drive.DDoS.Checkin; http.method; content:"POST"; http.header; pcre:"/-urlencoded\r\n(?:\r\n)?$/"; http.request_body; content:"k="; fast_pattern; startswith; pcre:"/^[0-9]*?[a-z]/PR"; http.content_len; byte_test:0,=,17,0,string,dec; http.header_names; content:!"Referer|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; startswith; classtype:trojan-activity; sid:2017045; rev:5; metadata:created_at 2013_06_22, confidence Medium, signature_severity Major, updated_at 2020_11_17;)