Hi,


A pcap for this one is available. 


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker NeutrinoPOS variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/index.php?&1001="; fast_pattern:only; http_uri; content:"&99="; http_uri; content:"&f1="; http_uri; content:"Accept-Charset|3A 20|"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/detection; classtype:trojan-activity; sid:9000049; rev:1;)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker NeutrinoPOS variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/index.php?&1001="; fast_pattern:only; http_uri; content:"&req="; http_uri; content:!"Connection"; http_header; content:"1="; within:3; http_client_body; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/detection; classtype:trojan-activity; sid:9000050; rev:1;)


Thanks.

YM