alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Torpig Infection Reporting"; flow:established,to_server; content:"POST"; depth:4; http_method; content:!"User-Agent|3a| "; http_header; content:"Content-Length|3a| 0|0d 0a|"; http_header; content:"Connection|3a| close|0d 0a|"; http_header; pcre:"/^\/[0-9A-F]{16}\/[0-9A-Za-z\+\/]{100,}$/U"; reference:url,www2.gmer.net/mbr/; reference:url,www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf; reference:url,offensivecomputing.net/?q=node/909; classtype:trojan-activity; sid:2008660; rev:10; metadata:created_at 2010_07_30, deprecation_reason Performance, performance_impact Significant, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_22;)