alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential FakeAV HTTP GET Check-IN (/check)"; flow:established,to_server; urilen:6; http.method; content:"GET"; http.uri; content:"/check"; nocase; http.user_agent; bsize:27; content:"Microsoft|20|Internet|20|Explorer"; fast_pattern; nocase; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; nocase; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; startswith; reference:url,microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Rogue%3AWin32/FakeSpypro; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; classtype:trojan-activity; sid:2010597; rev:9; metadata:created_at 2010_07_30, performance_impact Moderate, signature_severity Major, updated_at 2024_04_10;)