alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Pottieq.A Check-in"; flow:established,to_server; http.method; content:"POST"; http.header; content:"User-Agent|3a 20 7b|"; fast_pattern; http.user_agent; bsize:36; pcre:"/^\{[0-9a-z]{8}-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\-[0-9a-z]+\}$/i"; http.request_body; content:"pc="; content:"mail="; content:"guid="; nocase; pcre:"/(?:^|&)id=\d+(?:$|&)/"; http.header_names; content:!"|0d 0a|Accept"; content:!"Cookie|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom%3aWin32/Pottieq.A; reference:md5,909bce4dea2ca76cab87ce186d9cdfdc; classtype:trojan-activity; sid:2022988; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2016_07_27, deployment Perimeter, malware_family Pottieq, performance_impact Low, signature_severity Major, tag Pottieq, updated_at 2024_03_11;)