alert http $HOME_NET any -> any any (msg:"ET MALWARE DeerStealer POST Request containing Base64 Encoded 64 Byte String"; flow:established,to_server; http.method; content:"POST"; http.connection; content:"Keep-Alive"; http.header_names; content:"|0d 0a|connection|0d 0a|accept|0d 0a|user-agent|0d 0a|content-length|0d 0a|host|0d 0a 0d 0a|"; fast_pattern; nocase; http.uri; content:"|3d|"; base64_decode:offset 0,relative; base64_data; bsize:64; reference:url,any.run/cybersecurity-blog/deerstealer-campaign-analysis/; classtype:trojan-activity; sid:2061611; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_04_15, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2025_04_15; target:src_ip;)