alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Dridex v2 POST Checkin"; flow:established,to_server; urilen:>20; http.method; content:"POST"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Encoding|0d 0a|"; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|User-Agent|0d 0a|Content-Type|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Authorization|0d 0a|Content-Length|0d 0a 0d 0a|"; startswith; http.header; content:"Content-Type|3a 20|octet/binary|0d 0a|Accept|3a 20|*/*|0d 0a|"; fast_pattern; content:"Authorization|3a 20|Basic"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; reference:url,securityblog.s21sec.com/2014/11/dridex-learns-new-trick-p2p-over-http.html; classtype:command-and-control; sid:2019830; rev:3; metadata:created_at 2014_12_01, signature_severity Major, updated_at 2020_05_14;)