alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/Lile.A DoS Outbound"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 30; http.method; content:"GET"; http.header; content:"UserAgent|3a|"; content:"Windows 98"; fast_pattern; http.host; content:"www.fbi.gov"; startswith; reference:url,symantec.com/security_response/writeup.jsp?docid=2005-101311-0945-99&tabid=2; reference:md5,d6d0cd7eca2cef5aad66efbd312a7987; classtype:trojan-activity; sid:2015577; rev:5; metadata:created_at 2012_08_07, signature_severity Major, updated_at 2020_09_17;)