alert http any any -> any any (msg:"STEALER [PTsecurity] Ares Client Hello Request (APT TransparentTribe)"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/api/"; http.header; content:"Accept-Encoding: gzip, deflate"; content:!"Referer"; http.user_agent; content:"python-requests/"; http.request_body; content:"|7b 22|username|22 3a|"; depth:13; fast_pattern; content:"|22|platform|22 3a|"; distance:0; content:"|22|hostname|22 3a|"; distance:0; threshold:type limit, track by_src, seconds 120, count 1; reference:url, virustotal.com/gui/file/de4b4f2ec4489ffa873465683818b7db52bf914c3387dd1b84f2dd855a9a1171/; reference:url, www.cyfirma.com/research/apt36-python-based-elf-malware-targeting-indian-government-entities/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10010709; rev:2;)