alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Potao CnC POST Response"; flow:to_client,established; http.server; content:"nginx"; startswith; file.data; content:"<?xml version=|27|1.0|27|?>"; depth:21; content:"<methodResponse>"; distance:1; content:"<params>|0a|<param>"; distance:1; content:"<value><base64>"; fast_pattern; distance:1; pcre:"/^\x0a(?:[A-Za-z0-9/+]{4})*(?:[A-Za-z0-9/+]{2}==|[A-Za-z0-9/+]{3}=|[A-Za-z0-9/+]{4})\x0a/R"; classtype:command-and-control; sid:2021555; rev:3; metadata:created_at 2015_07_31, signature_severity Major, updated_at 2020_05_29;)