alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger HTTP Pattern"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:"/post.php?type="; fast_pattern; content:"&machinename="; distance:0; http.header_names; content:!"User-Agent|0d 0a|"; http.header; pcre:"/^Host\x3a[^\r\n]+\r\n(?:Connection\x3a\x20Keep-Alive\r\n)?(?:\r\n)?/"; reference:md5,5626771cf6751286de4b90ea4b8df94d; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:trojan-activity; sid:2021440; rev:3; metadata:created_at 2015_07_20, signature_severity Major, updated_at 2020_05_29;)