alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:established,to_server; http.uri; content:!"/CallParrotWebClient/"; http.header.raw; content:!"Cookie|3a 20|PREF|3d|ID|3d|"; nocase; http.header; content:"User-Agent|3a 20|Mozilla/4.0|0d 0a|"; fast_pattern; nocase; http.host; content:!"www.google.com"; content:!"secure.logmein.com"; content:!"weixin.qq.com"; content:!"slickdeals.net"; content:!"cloudera.com"; content:!"secure.digitalalchemy.net.au"; content:!".ksmobile.com"; content:!"gstatic.com"; content:!".cmcm.com"; content:!".deckedbuilder.com"; content:!".mobolize.com"; content:!"wq.cloud.duba.net"; content:!"infoc2.duba.net"; content:!".bitdefender.net"; classtype:bad-unknown; sid:2003492; rev:36; metadata:created_at 2010_07_30, performance_impact Significant, confidence Medium, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_11;)