alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"SPYWARE [PTsecurity] Buhtrap/Ratopak"; flow:established, to_server; content:"POST"; http_method; content:".php"; http_uri; content:!"upload.php"; http_uri; content:"Cache-Control: no-cache"; http_header; content:"Connection: Keep-Alive"; http_header; distance:0; content:"Pragma: no-cache"; http_header; distance:0; content:"Content-Type: multipart/form-data|3b| boundary="; http_header; distance:0; content:"User-Agent: "; http_header; distance:0; content:"Content-Length: "; http_header; distance:0; content:"Host: "; http_header; distance:0; content:!"Referer|3a|"; http_header; content:"Content-Disposition: form-data|3b| name=|22|"; http_client_body; fast_pattern; content:!".bin|22|"; within:24; http_client_body; pcre:"/^(?:[a-z]){4,32}\x22/RP"; content:"Content-Type: application/octet-stream"; http_client_body; within:100; pcre:"/(?:[\x0e-\x19]|[\x80-\xff]){4}/RP"; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10003294; rev:6;)