alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Fruspam polling for IP likely infected"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/automation/n09230945.asp"; fast_pattern; http.user_agent; content:"Mozilla/5.0 (X11|3b 20|U|3b 20|Linux i686|3b 20|en-US|3b 20|rv|3a|1.9.0.4) Ubuntu/8.04 (hardy) Firefox/3.0.0"; depth:85; endswith; reference:url,community.ca.com/blogs/securityadvisor/archive/2009/03/26/in-the-wild-win32-fruspam-using-american-greetings.aspx; classtype:trojan-activity; sid:2011072; rev:7; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2020_10_14;)