alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/GMERA.B CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/link.php?"; depth:10; fast_pattern; content:"&"; distance:0; pcre:"/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/R"; http.header_names; content:!"Referer"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website; classtype:command-and-control; sid:2028620; rev:2; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2019_09_24, deployment Perimeter, malware_family OSX_GMERA_B, confidence High, signature_severity Major, updated_at 2020_09_02;)