alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE MASSLOGGER Client Data Exfil (POST) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/?/upload"; endswith; fast_pattern; http.request_body; content:"Content-Disposition|3a| form-data|3b| name=|22|file|22 3b 20|filename=|22|"; pcre:"/^[^_]+_[^\_]+_[A-F0-9]{10}_[0-9]{2}-[0-9]{2}-20[0-9]{2}\s[0-9]{1,2}\.[0-9]{1,2}\.[0-9]{1,2}\./R"; content:"zip|22 0d 0a|Content-Type: application/zip|0d 0a 0d 0a|PK"; within:41; content:"/Log.txt"; distance:0; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; startswith; content:!"|0d 0a|User-Agent|0d 0a|"; reference:md5,79efca38c3230aaae9dd8bb11f15fe43; classtype:trojan-activity; sid:2030550; rev:2; metadata:created_at 2020_07_16, confidence High, signature_severity Major, updated_at 2020_07_16;)