alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Win32/DownWare.V Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"av="; content:"&mac="; content:"&os="; distance:17; within:4; content:"&secret="; distance:0; fast_pattern; content:"&sid="; pcre:"/^[0-9a-fA-F]{8}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{4}\b-[0-9a-fA-F]{12}$/R"; reference:md5,68b8cd6e7905578b21dd2ad02b33648c; classtype:pup-activity; sid:2034903; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_01_12, deployment Perimeter, confidence High, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_12, mitre_tactic_id TA0040, mitre_tactic_name Impact, mitre_technique_id T1496, mitre_technique_name Resource_Hijacking;)