alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vawtrak HTTP CnC Beacon"; flow:established,to_server; http.method; content:"POST"; http.cookie; content:"PHPSESSID="; depth:10; fast_pattern; pcre:"/^[A-F0-9]{32}$/R"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; http.content_type; content:"application/octet-stream"; depth:24; endswith; http.header_names; content:!"IBM-PROXY-WTE"; nocase; classtype:command-and-control; sid:2022225; rev:11; metadata:attack_target Client_Endpoint, created_at 2015_12_08, deployment Perimeter, performance_impact Significant, signature_severity Major, tag c2, updated_at 2024_05_01, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)