alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED SPL2 PluginDetect Data Hash"; flow:to_server,established; content:".html?id"; http_uri; fast_pattern:only; pcre:"/\.html\?id\d*?=[a-f0-9]{32}$/U"; pcre:"/GET\s[^\r\n]*?(?P<name>\/[^\.\/]+\.html)\?id\d*?=[a-f0-9]{32}\sHTTP\/1\..+?\r\nReferer\x3a\x20[^\r\n]*?(?P=name)(:?\d{1,5})?\r\n/s"; classtype:trojan-activity; sid:2017850; rev:3; metadata:created_at 2013_12_13, signature_severity Unknown, updated_at 2019_07_26;)