alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE APT.Agtid callback"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Agtid|3a 20|"; reference:url,www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html; classtype:targeted-activity; sid:2017511; rev:4; metadata:created_at 2013_09_24, signature_severity Major, updated_at 2020_04_27;)