alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FOX-SRT - Backdoor - CryptoPHP Shell C2 POST"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.method; content:"POST"; http.request_body; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|serverKey|22|"; fast_pattern; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|data|22|"; content:"Content-Disposition|3a 20|form-data|3b 20|name=|22|key|22|"; http.header_names; content:!"Referer|0d 0a|"; content:!"User-Agent"; content:!"Cookie|0d 0a|"; reference:url,blog.fox-it.com/2014/11/18/cryptophp-analysis-of-a-hidden-threat-inside-popular-content-management-systems/; classtype:command-and-control; sid:2019748; rev:4; metadata:created_at 2014_11_20, signature_severity Major, updated_at 2020_11_05;)