alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Vidar Stealer Form Exfil"; flow:established,to_server; http.request_line; content:"POST|20 2f 20|"; startswith; http.request_body; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|token|22|"; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|build|5f|id|22|"; content:"file_name"; content:"Content|2d|Disposition|3a 20|form|2d|data|3b 20|name|3d 22|file|5f|data|22 0d 0a 0d 0a|UEs"; fast_pattern; reference:md5,8bea4ed23c54744533c32994e6c88deb; classtype:trojan-activity; sid:2054495; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2024_07_15, deployment Perimeter, malware_family VidarStealer, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_15;)