alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Hiloti Style GET to PHP with invalid terse MSIE headers"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php?"; http.user_agent; content:"Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; content:!"8"; within:1; content:"|3b 20|Windows|20|NT|20|"; distance:0; content:!"SlimBrowser"; http.host; content:!".taobao.com"; content:!".dict.cn"; content:!".avg.com"; content:!".weather.hao.360.cn"; content:!"es.f.360.cn"; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; depth:20; fast_pattern; classtype:bad-unknown; sid:2012612; rev:20; metadata:attack_target Client_Endpoint, created_at 2011_03_31, deployment Perimeter, performance_impact Significant, confidence Low, signature_severity Minor, updated_at 2024_04_09;)