alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"REMOTE [PTsecurity] Possible PupyRAT"; flow:established, to_server; content:"/ws/"; http_uri; depth:4; pcre:"/^[a-f0-9]{8}$/UR"; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"; http_header; content:"Connection: keep-alive"; http_header; content:!"Referer"; http_header; reference:url, https://github.com/n1nj4sec/pupy/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10008450; rev:1;)