alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"REMOTE [PTsecurity] Possible PupyRAT"; flow:established, to_server; content:"/index.php?d="; http_uri; depth:13; pcre:"/^(?:[A-Za-z0-9\-\_]{4}){4,}(?:[A-Za-z0-9\-\_]{2}[AEIMQUYcgkosw048]|[A-Za-z0-9\-\_][AQgw])$|(?:[A-Za-z0-9\-\_]{4}){5,}$/UR"; content:"User-Agent: Mozilla/5.0"; http_header; content:"Connection: keep-alive"; http_header; content:!"Referer"; http_header; reference:url, https://github.com/n1nj4sec/pupy/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10008451; rev:1;)