alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zeus POST Request to CnC - cookie variation"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Accept|3a 20|*/*|0d 0a|Accept-Language|3a 20|en-us|0d 0a|Cookie|3a 20|cid="; fast_pattern; startswith; content:"|3a 20|no-cache|0d 0a|"; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Cookie|0d 0a|"; startswith; content:"|0d 0a|User-Agent|0d 0a|"; distance:-2; content:"|0d 0a|Host|0d 0a|"; distance:-2; content:"|0d 0a|Content-Length|0d 0a|"; distance:-2; content:"|0d 0a|Connection|0d 0a|"; distance:-2; http.user_agent; content:"Mozilla"; startswith; http.content_len; byte_test:0,>,0,0,string,dec; http.connection; bsize:10; content:"Keep-Alive"; reference:url,zeustracker.abuse.ch/monitor.php?search=209.59.216.103; classtype:command-and-control; sid:2014107; rev:5; metadata:created_at 2012_01_10, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_22;)