alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Hangover related campaign Checkin"; flow:established,to_server; http.uri; content:"post.php?filename="; fast_pattern; content:"&folder="; distance:0; pcre:"/\/\/?$/"; http.header_names; content:!"Referer|0d 0a|"; reference:md5,0392fb51816dd9583f9cb206a2cf02d9; reference:url,bluecoat.com/security-blog/2014-06-10/snake-grass-python-based-malware-used-targeted-attacks; classtype:command-and-control; sid:2018566; rev:3; metadata:created_at 2014_06_16, signature_severity Major, updated_at 2020_04_30;)