alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Infostealer.Snifula File Upload"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".cgi"; http.header; content:"User-Agent|3a 20|IE|0d 0a|"; http.request_body; content:"name|3d 22|upload_file|22 3b 20|filename|3d 22|"; fast_pattern; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:md5,be16b8d1b85843c89301f189b35c4963; classtype:trojan-activity; sid:2023337; rev:4; metadata:created_at 2016_10_14, malware_family Win32_Infostealer_Snifula, signature_severity Major, updated_at 2024_03_10;)