alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Rovnix Downloading Config File From CnC"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/config.php?"; http_uri; content:"user="; http_uri; content:"version="; http_uri; content:"&server="; http_uri; content:"&crc="; http_uri; pcre:"/user=[a-f0-9]{32}&/Ui"; reference:url,blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution; classtype:command-and-control; sid:2014276; rev:4; metadata:created_at 2012_02_24, signature_severity Major, updated_at 2019_07_26;)