alert tcp any any -> any any (msg:"BACKDOOR [PTsecurity] GoRed Exfiltration"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/api/collection-result"; depth:22; isdataat:!1, relative; http.header; content:"User-Agent: Go-http-client/"; content:"Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"; distance:0; content:"Client-Id: "; distance:0; content:"Accept-Encoding: gzip"; distance:0; content:!"Referer"; reference:url, https://app.any.run/tasks/e94958c4-37a6-4f46-9098-b90fb36ae266; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10011378; rev:1;)