alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PlugX Checkin"; flow:to_server,established; http.method; content:"POST"; http.uri; pcre:"/^\/[A-F0-9]{24}$/"; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|"; depth:13; pcre:"/^[A-Z]{4}/R"; content:"1|3a 20|0|0d 0a|"; fast_pattern; within:6; http.header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017714; rev:8; metadata:created_at 2013_11_14, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_12_10;)