alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; http.uri; content:"/command.php?IP="; fast_pattern; content:"ID="; pcre:"/ID=\d{24}($|&)/"; http.user_agent; bsize:1; content:"|5c|"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:command-and-control; sid:2013723; rev:4; metadata:created_at 2011_10_01, malware_family Win32_Daemonize, signature_severity Major, updated_at 2024_03_07;)