alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Urausy.C Checkin 3"; flow:to_server,established; urilen:>80; http.method; content:"GET"; http.uri; content:".php"; endswith; pcre:"/\/[a-z-_]{75,}\.php$/"; http.user_agent; content:"Mozilla/5.0 (compatible|3b 20|MSIE|20|"; fast_pattern; http.header_names; content:"|0d 0a|User-Agent|0d 0a|"; depth:14; content:!"Referer"; content:!"Accept"; reference:md5,09462f13d7e6aaa0bff2788158343829; reference:md5,b18f80d665f340af91003226a2b974b6; reference:md5,1494b8b9f42753a4bc1762d8f3287db6; classtype:command-and-control; sid:2016809; rev:9; metadata:created_at 2013_05_02, malware_family Win32_Urausy_C, performance_impact Significant, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_08;)