alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android Syria-Twitter Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:"/contacts"; endswith; http.user_agent; content:"Apache-HttpClient/"; depth:18; http.request_body; content:"contact|25|26="; depth:11; fast_pattern; reference:md5,b91315805ef1df07bdbfa07d3a467424; reference:url,www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-behind-the-syria-conflict.pdf; classtype:trojan-activity; sid:2020343; rev:3; metadata:affected_product Android, attack_target Mobile_Client, created_at 2015_02_03, deployment Perimeter, signature_severity Major, tag Android, updated_at 2020_05_15, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)