alert http any any -> any any (msg:"BOTNET [PTsecurity] Andromeda"; flow:established, to_server; pcre:"/^\/[0-9]{9}$/U"; http.method; content:"POST"; http.header; content:"Content-Type|3a| application/x-www-form-urlencoded"; content:"Expect|3a| 100-continue"; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; http.request_body; content:"status%5D%20Logger%20started%20with%20PID%20"; depth:100; reference:url, app.any.run/tasks/92d87d3c-c6b0-4172-ba02-7b9afc40df7e; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10013882; rev:1;)