alert http any any -> any any (msg:"STEALER [PTsecurity] Trojan.Stealer"; flow:established, to_server; http.method; content:"POST"; http.header; content:"Accept-Encoding: identity"; content:"User-Agent: Python-urllib/"; content:"Content-Type: application/x-www-form-urlencoded"; content:"Connection: close"; content:!"Referer"; http.request_body; content:"Image Name"; content:"PID"; distance:0; content:"Session Name"; distance:0; content:"Session#"; distance:0; fast_pattern; content:"Mem Usage"; distance:0; reference:url, cyble.com/blog/silent-intrusion-unraveling-the-sophisticated-attack-leveraging-vs-code-for-unauthorized-access/; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10012179; rev:1;)