alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Taidoor Checkin"; flow:established,to_server; http.uri; content:".jsp?"; fast_pattern; pcre:"/^[a-z]{2}\x3d[a-z0-9]+?[A-F0-9]+?$/R"; http.host; content:!"reg.163.com"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; content:"|0d 0a|User-Agent|0d 0a|"; startswith; reference:url,fireeye.com/blog/technical/cyber-exploits/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html; reference:md5,17f9f999e1814b99601446f8ce7eb816; classtype:command-and-control; sid:2017713; rev:10; metadata:created_at 2013_11_14, deprecation_reason Age, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_12, reviewed_at 2024_02_08;)