alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Ssemgrvd sshd Backdoor HTTP CNC 1"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"port="; fast_pattern; content:"&uname="; distance:0; content:"&uuid="; distance:0; pcre:"/&uuid=[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/"; http.header; content:"Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; classtype:command-and-control; sid:2017642; rev:5; metadata:created_at 2013_10_30, deprecation_reason Age, signature_severity Major, updated_at 2024_02_08, reviewed_at 2024_02_08;)