alert http $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET MALWARE W32/Dridex POST CnC Beacon"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|Trident/7.0|3b 20|rv|3a|11.0) like Gecko"; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?$/"; http.connection; content:"Close"; endswith; http.content_type; content:"octet/binary"; endswith; http.header_names; content:!"Referer"; reference:md5,d37256439d5ab7f25561cc390d8aa1ea; classtype:command-and-control; sid:2019891; rev:6; metadata:attack_target Client_Endpoint, created_at 2014_12_08, deployment Perimeter, malware_family Dridex, signature_severity Major, tag c2, updated_at 2020_09_15, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)