I have been running this a while now in my environment an seems to be ok. Thoughts? Regards, Kevin<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET TROJAN POST of JPEG to External Web Server - Possible Trojan Data Exfiltration/CnC Technique&quot;; flow:established,to_server; content:&quot;POST&quot;; http_method; content:&quot;|FF D8 FF E0|&quot;; http_client_body; depth:4; content:&quot;|4A 46 49 46 00|&quot;; distance:2; within:5; classtype:trojan-activity; sid:198371; rev:1;)<br>