alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY HotSpotShield Activity"; flow:established,to_server; http.method; content:"POST"; http.request_body; content:"|2d 2d 41 66 50 72 30 78 59|"; depth:9; content:"|2d 2d 41 66 50 72 30 78 59 2d 2d|"; distance:0; http.content_type; content:"multipart/form-data|3b 20|boundary=AfPr0xY"; fast_pattern; bsize:37; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,45f4e1bb4efd12f0e8b949174a198bf3; classtype:policy-violation; sid:2022533; rev:4; metadata:created_at 2016_02_17, deprecation_reason Duplicate, confidence High, signature_severity Informational, updated_at 2023_07_05;)