alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Win32/Hupigon ip.txt with a Non-Mozilla UA"; flow:established,to_server; http.uri; content:"/ip.txt"; nocase; endswith; fast_pattern; http.header; content:!"%E5%A4%A7%E4%BC%97%E7%82%B9%E8%AF%84"; content:"|3a 20|no-cache|0d 0a|"; endswith; http.header_names; content:"|0d 0a|User-Agent|0d 0a|Host|0d 0a|"; startswith; content:"|0d 0a 0d 0a|"; within:17; pcre:"/(?:Cache-Control|Pragma)\x0d\x0a\x0d\x0a$/"; http.user_agent; content:!"Mozilla"; http.host; dotprefix; content:!".malwaredomainlist.com"; reference:md5,4d23395fcbab1dabef9afe6af81df558; classtype:trojan-activity; sid:2016950; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2013_05_31, deployment Perimeter, malware_family Hupigon, confidence Low, signature_severity Major, updated_at 2023_09_29, reviewed_at 2023_09_29; target:src_ip;)