alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:11; content:"/config.php"; http_uri; fast_pattern; content:"Accept|3A| */*"; http_header; content:"Content-Type|3A| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:command-and-control; sid:2014460; rev:5; metadata:created_at 2012_04_04, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)