alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/AntiBreach Possible Activation Attempt"; flow:established,to_server; http.uri; content:"/buy.php?id="; content:"&sub_id="; content:"&install_id="; content:"&project_id="; content:"&serial="; reference:url,www.malware-traffic-analysis.net/2014/11/21/index.html; classtype:trojan-activity; sid:2019771; rev:3; metadata:created_at 2014_11_21, confidence Medium, signature_severity Major, updated_at 2020_05_13;)