alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE RHttpCtrl Backdoor CnC"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ver="; startswith; content:"&id="; distance:0; content:"&random="; distance:0; content:"&hname="; distance:0; content:"&lanip="; distance:0; fast_pattern; content:"&os="; distance:0; reference:md5,ed09b0dba74bf68ec381031e2faf4448; reference:url,www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/; classtype:command-and-control; sid:2030397; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_06_25, deployment Perimeter, malware_family APT30, performance_impact Low, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_06_25;)