alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible PlugX Common Header Struct"; flow:established,to_server; http.method; content:"POST"; http.header; content:"|3a 20|61456|0d 0a|"; fast_pattern; http.user_agent; content:!"Dickson/"; depth:8; http.host; content:!".googleapis.com"; endswith; http.content_len; content:!"61456"; http.header_names; content:!"Referer"; reference:url,fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html; reference:url,alienvault.com/open-threat-exchange/blog/the-connection-between-the-plugx-chinese-gang-and-the-latest-internet-explo; reference:url,securelist.com/blog/incidents/57197/the-rush-for-cve-2013-3906-a-hot-commodity/; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; classtype:trojan-activity; sid:2018228; rev:10; metadata:created_at 2014_03_06, deprecation_reason False_Positive, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_09_11;)