alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET MALWARE China Chopper Command Struct"; flow:to_server,established; content:"FromBase64String"; fast_pattern; content:"unsafe"; distance:0; content:"eval("; http.method; content:"POST"; nocase; http.request_body; content:"&z"; pcre:"/^\d{1,3}=/Ri"; reference:url,www.fireeye.com/blog/technical/botnet-activities-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html; classtype:trojan-activity; sid:2017313; rev:5; metadata:created_at 2013_08_12, signature_severity Major, updated_at 2020_11_03;)