It seems blackberry devices POST an XML with some information about the device to a URI of preAuth. I propose just simply negating the blackberry website to make sure it isn&#39;t this.<br><br>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg:&quot;ET MOBILE_MALWARE XML Style POST Of IMSI International Mobile Subscriber Identity&quot;; flow:established,to_server; content:&quot;POST&quot;; http_method; content:!&quot;<a href="http://blackberry.com">blackberry.com</a>&quot;; nocase; http_header; nocase; content:&quot;&lt;IMSI&gt;&quot;; http_client_body; nocase; content:&quot;&lt;|2F|IMSI&quot;; nocase; http_client_body; distance:0; reference:url,<a href="http://www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi">www.learntelecom.com/telephony/gsm/international-mobile-subscriber-identity-imsi</a>; classtype:trojan-activity; sid:2013139; rev:3;)<br>
<br>Regards, Kevin<br><br>