alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Yayih.A Checkin 2"; flow:to_server,established; http.method; content:"POST"; http.uri; content:"/bbs/search.asp"; fast_pattern; http.header; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 5.0)|0d 0a|"; reference:md5,832f5e01be536da71d5b3f7e41938cfb; reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html; classtype:command-and-control; sid:2017325; rev:5; metadata:created_at 2013_08_13, signature_severity Major, updated_at 2020_04_24;)