alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Connectivity Check"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.user_agent; content:"Mozilla/"; depth:8; http.host; content:!"login.live.com"; endswith; content:!"google.com"; endswith; content:!"www.bing.com"; endswith; content:!"yandex.ru"; endswith; content:!"linkedin.com"; endswith; http.connection; content:"close"; nocase; http.protocol; content:"HTTP/1.1"; http.header_names; content:"|0d 0a|Accept|0d 0a|Connection|0d 0a|User-Agent|0d 0a|"; content:!"Referer"; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2011588; rev:26; metadata:created_at 2010_10_02, performance_impact Moderate, signature_severity Major, updated_at 2024_04_09;)