Hello - I am trying to locate additional information regarding sid 32621. 

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Regin outbound connection"; flow:to_server,established; content:" TW="; fast_pattern:only; content:" TW="; http_cookie; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c0cf8e008fbfa0cb2c61d968057b4a077d62f64d7320769982d28107db370513/analysis/; classtype:trojan-activity; sid:32621; rev:3; )

I understand that once the content is matched on "TW=" the pcre is called to perform regex matching.  How do I determine the contents of this specific pcre? 

I understand that TAC could provide a more in-depth analysis if needed.  However any additional insight I can gain into why this fired would help tremendously in future event analysis as well.