Suricata

A rule like

alert http $HOME_NET any -> $EXTERNAL_NET any \
    (msg:"ET TROJAN Variant.Zusy.45802 Checkin";
    flow:to_server,established;
    content:".php?uid="; fast_pattern:only; http_uri;
    content:"&affid="; http_uri;
    content:"Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1)"; http_user_agent; pcre:"/^$/RV";
    content:!"Referer|3a 20|"; http_header; pcre:"/\.php\?uid=[-a-f0-9]+?&affid=\d+$/Ui";
    classtype:trojan-activity; sid:2016816; rev:3;)

Would set up 2 "buffers": one for the initial set of contents modified to http_uri, the second for the pcre with /U.