alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Royal Road Payload Retrieval Attempt"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/doc/tmp.php?Data|3d|"; fast_pattern; startswith; pcre:"/^[a-zA-Z0-9%+/=]{10}/R"; reference:md5,b85316f68d9f1dbac481e3f397ebf1b0; classtype:trojan-activity; sid:2052285; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2024_04_29, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, updated_at 2024_04_29; target:src_ip;)