alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/PlugX/Talisman Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.header; content:"MCookie|3a 20|"; fast_pattern; pcre:"/^[0-9]-[0-9]-[0-9]{5}-[0-9]\r\n/R"; http.header_names; content:!"Referer|0d 0a|"; content:!"|0d 0a|Accept-"; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,ecab63b6de18073453310a9c4551074b; reference:url,www.trellix.com/en-us/about/newsroom/stories/threat-labs/plugx-a-talisman-to-behold.html; classtype:trojan-activity; sid:2035689; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_31, deployment Perimeter, malware_family PlugX, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_16;)