alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32/Likseput.A Checkin"; flow:established,to_server; http.header; content:"|5c|"; within:64; content:"Host|3a 20|"; distance:0; content:!"|0d 0a|"; distance:-6; within:2; http.user_agent; content:"5|2e|"; startswith; pcre:"/^5\.[0-2]\x20\d\d\x3a\d\d\x20/"; reference:md5,4b6f5e62d7913fc1ab6c71b5b909ecbf; classtype:command-and-control; sid:2016450; rev:8; metadata:created_at 2012_01_12, deprecation_reason Age, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_15, reviewed_at 2024_03_15;)