alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]/Ui"; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:md5,94e13e13c6da5e32bde00bc527475bd2; classtype:trojan-activity; sid:2010594; rev:8; metadata:created_at 2010_07_30, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)