Darkgate suricata snort sigs

1. alert tcp any any -> any !$HTTP_PORTS (msg:"TROJAN DarkGate CNC Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla|2f|4|2e|0 |28|compatible|3b| Synapse|29|"; http_header; content:"POST"; http_method; content:"id="; content:"data="; content:"action="; reference:md5,33aabffe4ece4d725e558e87d26a9b14; classtype:trojan-activity; sid:20166265; rev:1; metadata:created_at 2018_11_16;)
2.  
3. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN DarkGate retrieving CNC"; flow:established,to_server; content:"GET"; http_method; content:"/raw/"; content:"Host|3a 20|pastebin.com|0d 0a|"; content:"User-Agent|3a| MyApp"; http_header; reference:md5,33aabffe4ece4d725e558e87d26a9b14; classtype:trojan-activity; sid:20166266; rev:1; metadata:created_at 2018_11_16;)