alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Matsnu Checkin"; flow:to_server,established; http.method; content:"POST"; nocase; http.uri; content:".php?"; fast_pattern; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0b|3b 20|Windows NT 5.0|3b 20|.NET CLR 1.0.2914)"; bsize:70; http.request_body; content:"="; depth:7; content:"AA"; distance:3; within:2; pcre:"/^[a-z]{1,7}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.connection; content:"Keep-AliveCache-Control|3a 20|no-cache"; bsize:33; http.header_names; content:!"Referer|0d 0a|"; reference:md5,7ff6912828faedbf39c4c66c7ba0260d; reference:md5,0361c2685bf799c04d796a6d18e1f075; reference:url,blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf; classtype:command-and-control; sid:2021399; rev:6; metadata:created_at 2015_07_10, performance_impact Significant, signature_severity Major, updated_at 2024_04_30;)