alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backoff POS Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php"; http.request_body; content:"&op="; depth:4; content:"&id="; content:"&ui="; content:"&wv="; fast_pattern; content:"&bv="; pcre:"/^&op=\d{1,2}&id=\w+?&ui=.+?&bv=\d{1,2}\.\d{1,2}($|&)/"; reference:md5,d0c74483f20c608a0a89c5ba05c2197f; classtype:command-and-control; sid:2018857; rev:8; metadata:created_at 2014_03_06, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_25;)