alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.TurlaCarbon.A C2 HTTP Request"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"?uid="; content:"&context="; distance:0; content:"&mode=text&"; fast_pattern; distance:0; content:"data="; pcre:"/\?uid=\d+&context=\w+&mode=text&data=\w+$/"; reference:url,blog.gdatasoftware.com/blog/article/analysis-of-project-cobra.html; classtype:command-and-control; sid:2020241; rev:3; metadata:created_at 2015_01_22, signature_severity Major, updated_at 2020_05_14;)