alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET USER_AGENTS Suspicious User Agent (Autoupdate)"; flow:established,to_server; http.header; content:!" Creative AutoUpdate v"; http.user_agent; content:"Autoupdate"; nocase; depth:10; content:!"McAfeeAutoUpdate"; nocase; http.host; content:!"update.nai.com"; content:!"nokia.com"; content:!"sophosupd.com"; content:!"sophosupd.net"; content:!"wholetomato.com"; content:!".acclivitysoftware.com"; classtype:pup-activity; sid:2003337; rev:23; metadata:created_at 2010_07_30, deployment Perimeter, deployment alert_only, performance_impact Low, confidence Low, signature_severity Minor, updated_at 2023_05_31;)