alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE PunkeyPOS HTTP CnC Beacon 2"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"version="; depth:8; fast_pattern; pcre:"/^version=\d{4}-\d{1,2}-\d{1,2}$/"; http.content_type; content:"application/x-www-form-urlencoded"; bsize:33; http.header_names; content:!"Accept|0d 0a|"; content:!"Referer|0d 0a|"; reference:url,trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/; reference:md5,43c277dd56f9c6de4b8dc249e12039df; classtype:command-and-control; sid:2020936; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_04_17, deployment Perimeter, signature_severity Major, tag c2, updated_at 2020_06_29, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)