alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rodmacer Stealer Data Exfiltration Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:5; content:"/data"; http.header; content:"user|3a 20|admin"; http.header_names; content:"|0d 0a|uuid|0d 0a|"; content:"|0d 0a|buildid|0d 0a|"; fast_pattern; reference:url,x.com/karol_paciorek/status/1803357816746360903; reference:md5,14a50273e7c37a994c687cbce8eb4703; classtype:trojan-activity; sid:2055531; rev:1; metadata:affected_product Mac_OSX, tls_state plaintext, created_at 2024_08_27, deployment Perimeter, malware_family Rodmacer_Stealer, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_08_27; target:src_ip;)