alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus Bot Request to CnC 2"; flow:established,to_server; http.method; content:"GET"; nocase; http.header; content:"Accept|3a 20 2a 2f 2a 0d 0a|If|2d|None|2d|Match|3a 20|"; startswith; fast_pattern; content:"|0d 0a|Cache|2d|Control|3a 20|no|2d|cache|0d 0a|User|2d|Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Connection|3a 20|Close|0d 0a|"; endswith; classtype:command-and-control; sid:2013348; rev:9; metadata:created_at 2011_08_04, confidence Medium, signature_severity Major, updated_at 2024_02_16;)