alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin"; flow:established,to_server; urilen:>80; http.method; content:"GET"; http.uri; pcre:"/^\/[a-z-_]+?\.(php|html)$/i"; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.1|3b 20|WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11"; fast_pattern; endswith; http.header_names; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016553; rev:6; metadata:created_at 2013_03_08, malware_family Win32_Urausy_C, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_15;)