alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BBSRAT POST request CnC"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/bbs/"; depth:5; fast_pattern; content:"/forum.php?sid="; distance:0; pcre:"/^\/bbs\/(?P<counter>[a-f0-9]+)\/forum\.php\?sid=(?P=counter)$/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Windows NT 5.1)"; startswith; http.cookie; pcre:"/[A-F0-9]{8}(?:-[A-F0-9]{4}){2}-[A-F0-9]{8}/"; http.request_body; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/"; reference:md5,8cd233d3f226cb1bf6bf15aca52e0e36; reference:url,researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/; classtype:command-and-control; sid:2022311; rev:3; metadata:created_at 2015_12_24, signature_severity Major, updated_at 2020_06_16;)