Rodrigo Montoro put out this wonderful blog post about the detection of some Brazilian Trojan Banking Trojans with HTTP Inspect using suppressions.
The same concept could be applied with the IP Whitelisting technology in Snort now. Either way, please read this great article!
http://blog.spiderlabs.com/2012/03/detecting-brazilian-trojan-bankers-with-snort-http_inspect.html
