alert http $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE Win32/Gatak Activity"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/\/(?:[a-z]{4,9}\/[a-z]{3,10}\?[a-z_]{2,9}=[0-9]{2,8}|[a-z]{10})&[a-z]{5,9}=[a-zA-Z0-9_*]{30,}$/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 5.1|3b| Trident/4.0)|0d 0a|Host|3a|"; fast_pattern; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32/Gatak; reference:url,www.malwaresigs.com/2013/01/30/trojan-gatak-post-compromise/; classtype:trojan-activity; sid:2018799; rev:4; metadata:created_at 2014_07_29, malware_family Win32_Gatak, signature_severity Major, updated_at 2020_05_01;)