alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Linux/Ssemgrvd sshd Backdoor HTTP CNC 2"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Connection|3A 20|close|0D 0A|Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|Content-Length|3A 20|"; http.request_body; content:"b=1&name="; depth:9; fast_pattern; content:"&uuid="; distance:0; pcre:"/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/R"; http.header_names; content:!"User-Agent|0d 0a|"; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; classtype:command-and-control; sid:2017643; rev:5; metadata:created_at 2013_10_30, signature_severity Major, updated_at 2020_04_27;)