alert http $HOME_NET any -> [!208.87.232.0/21,!216.115.208.0/20,!216.219.112.0/20,!66.151.158.0/24,!66.151.150.160/27,!66.151.115.128/26,!64.74.80.0/24,!202.173.24.0/21,!67.217.64.0/19,!78.108.112.0/20,!68.64.0.0/19,!206.183.100.0/22,!173.199.0.0/18,!103.15.16.0/22,!180.153.30.0/23,!140.207.108.0/23,!23.239.224.0/19,!185.36.20.0/22,!8.28.150.0/24,!54.208.0.0/15,!54.248.0.0/15,!70.42.29.0/27,!72.5.190.0/24,!104.129.194.0/24,!104.129.200.0/24,!199.168.148.0/24,!199.168.151.0/24,!216.52.207.64/26,$EXTERNAL_NET] $HTTP_PORTS (msg:"ET ADWARE_PUP User-Agent (Mozilla/4.0 (compatible))"; flow:to_server,established; http.uri; content:!"/?rnd="; depth:6; http.header; content:!"citrixonline.com"; http.user_agent; content:"Mozilla/4.0 (compatible)"; fast_pattern; bsize:24; classtype:pup-activity; sid:2008974; rev:16; metadata:created_at 2010_07_30, confidence High, signature_severity Minor, updated_at 2020_08_31;)