alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Backdoor.Dripion HTTP CnC Checkin"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.uri; content:"/"; http.header; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; http.request_body; content:"|40 24|"; depth:2; pcre:"/^\x40\x24[^\x20-\x7e\r\n]+$/s"; http.content_type; bsize:33; content:"application/x-www-form-urlencoded"; reference:md5,e7205c0b80035b629d80b5e7aeff7b0e; reference:url,symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan; classtype:command-and-control; sid:2022689; rev:5; metadata:created_at 2016_03_30, malware_family Win32_Backdoor_Dripion, signature_severity Major, updated_at 2024_03_25;)