alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Trojan-Dropper.MSIL CnC Traffic - POST"; flow:established,to_server; http.request_line; content:"POST /log HTTP/1.1"; fast_pattern; startswith; http.header; content:"Expect|3a 20|100-continue|0d 0a|"; http.header_names; content:!"Referer"; content:!"User-Agent"; reference:md5,2a93655114ec83db8d38aea680e39453; reference:md5,f7744662b78e045946678b3aab34f5b5; classtype:trojan-activity; sid:2034341; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2021_11_03, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2021_11_03;)