Various vendors call this family of malware different things, but they all seem to exhibit similar characteristics. When writing Snort rules you want to focus on things that will be consistent, so you’ll catch more than one variant. The “Murofet” rule has been in the hands of customers since the 27th of February, so let’s let’s use our PCRE to get rid of false positives. We don’t wind up looking at the cookies in the cookie field, so we don’t look at the cookie, body or cookie body.”]
Source: https://blog.talosintelligence.com/2012/03/some-snort-discussion-about-murofet.html