alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE LNK/Unknown Downloader CnC Checkin (POST)"; flow:established,to_server; urilen:1; http.method; content:"POST"; http.host; pcre:"/^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$/"; http.user_agent; content:"Mozilla|2f|4|2e|0|20 28|compatible|3b 20|Synapse|29|"; bsize:33; http.header; content:"Keep-Alive: 300|0d 0a|"; http.connection; content:"keep-alive"; bsize:10; http.content_type; content:"application|2f|x|2d|www|2d|form|2d|urlencoded"; http.request_body; content:"id="; startswith; content:"&data="; content:"&act=100"; isdataat:!2,relative; fast_pattern; reference:md5,0185e0fc2f505312001e1a65e6783908; reference:url,twitter.com/Gi7w0rm/status/1693432581583184029; classtype:trojan-activity; sid:2047717; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_08_23, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_23, reviewed_at 2023_08_23;)