alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Pushdo.s Checkin"; flow:established,to_server; flowbits:set,ET.Pushdo.S; http.method; content:"POST"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 6.0|3b 20|Windows NT 5.1|3b 20|SV1)"; fast_pattern; http.accept; content:"*/*"; http.accept_lang; content:"en-us"; http.content_type; content:"application/octet-stream"; http.header_names; content:"|0d 0a|Accept|0d 0a|Accept-Language|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; threshold:type limit,track by_src,count 1,seconds 600; classtype:command-and-control; sid:2016867; rev:7; metadata:created_at 2013_05_21, performance_impact Significant, signature_severity Major, updated_at 2025_01_03;)