alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/SSLoad Tasking Request (POST)"; flow:established,to_server; flowbits:set,ET.SSLoad1_1.TaskingRequest; http.method; content:"POST"; http.uri; content:"/api/"; startswith; pcre:"/^[a-f0-9]{8}-([a-f0-9]{4}-){3}[a-f0-9]{12}/R"; content:"/tasks"; endswith; http.referer; content:"|2a 2f 2a|"; bsize:3; fast_pattern; http.content_type; content:"application/json"; bsize:16; http.content_len; byte_test:0,=,0,0,string,dec; reference:md5,d6b0726de53f8a3da67a6e693485ca7a; reference:md5,ca303668b5420c022ef9c78ce1f2bfb7; classtype:trojan-activity; sid:2052099; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_01_18, deployment Perimeter, malware_family SSLoad, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_04_18, former_sid 2856178; target:src_ip;)