alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zebrocy Screenshot Upload"; flow:established,to_server; http.method; content:"POST"; http.request_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})+/"; http.accept; content:"text/html, */*"; depth:14; endswith; http.accept_enc; content:"identity"; depth:8; endswith; http.content_len; byte_test:0,>,50000,0,string,dec; byte_test:0,<,120000,0,string,dec; http.start; content:".php HTTP/1.0|0d 0a|Connection|3a 20|keep-alive|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Content-Length|3a 20|"; fast_pattern; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,5b2eca6abe1903955d1dfd41e301e0af; classtype:targeted-activity; sid:2030122; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2020_04_23, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_11_17;)