alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gamaredon CnC Checkin (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; endswith; http.request_body; content:"ilogin="; startswith; fast_pattern; pcre:"/^[A-Z0-9]{8}/R"; content:"|25|3b"; within:3; pcre:"/^[a-z0-9]{10}$/R"; reference:md5,0b27c465c9104e9a711c83ec4d5a04a4; reference:url,x.com/Cyber0verload/status/1828407745067835445; classtype:trojan-activity; sid:2055530; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_08_27, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Critical, tag Gamaredon, updated_at 2024_08_27;)