alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex POST Checkin"; flow:established,to_server; urilen:>20; http.method; content:"POST"; http.header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.header_names; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Content-Length|0d 0a 0d 0a|"; bsize:89; reference:md5,68459c32587e08d953d319ceb2d0888b; classtype:command-and-control; sid:2019478; rev:3; metadata:created_at 2014_10_20, signature_severity Major, updated_at 2020_05_12;)