alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"REMOTE [PTsecurity] Possible PupyRAT"; flow:established, to_client; content:"200"; http_stat_code; content:"Content-Type: text/html|3b| charset=utf-8"; http_header; content:"Connection: keep-alive"; nocase; http_header; content:"X-Poll-Required: true"; http_header; fast_pattern; content:"Server:"; http_header; content:"Content-Length:"; http_header; pcre:"/^(?:[A-Za-z0-9\-\_]{4}){10,}(?:[A-Za-z0-9\-\_]{2}[AEIMQUYcgkosw048]|[A-Za-z0-9\-\_][AQgw])$|(?:[A-Za-z0-9\-\_]{4}){11,}$/Q"; reference:url, https://github.com/n1nj4sec/pupy/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10008452; rev:2;)