alert udp $HOME_NET any -> any 53 (msg:"AV TROJAN OSX/LaoShu DNS Query Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|floracrunch|03|com|00|"; fast_pattern; nocase; distance:0; classtype:trojan-activity; sid:9000002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"AV TROJAN OSX/LaoShu HTTP Request for"; flow:established,to_server; content:"POST"; http_method; content:".php?yin="; http_uri; nocase; content:"Host|3a 20|"; http_header; classtype:trojan-activity; sid:9000003; rev:1;)
