alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ZeroAccess HTTP GET request"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"?w="; fast_pattern; content:"&i="; content:"&v="; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/"; http.header_names; content:"|0d 0a|Host|0d 0a|"; startswith; content:"|0d 0a|Connection|0d 0a|Cookie|0d 0a|"; content:!"|0d 0a|Accept"; classtype:trojan-activity; sid:2015535; rev:5; metadata:created_at 2012_07_27, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_27;)