These signatures require TLS decryption.
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN Zloader Known User-Agent”; flow:established,to_server; http.user_agent; content:“PresidentPutin”; classtype:trojan-activity; reference:url,Technical Analysis of Zloader 2.9.0.4 | ThreatLabz; sid:192001; rev:1;)
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN Zloader HTTP POST Rand Header”; content:“POST”; http_method; urilen:1; content:“/”; http_uri; content:"Rand|3A| "; http_header; content:!“Referer|3A|”; http_header; classtype:trojan-activity; reference:url,Technical Analysis of Zloader 2.9.0.4 | ThreatLabz; sid:192002; rev:1;)
Kind Regards,
Kevin Ross