alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot Generic URI/Header Struct .bin"; flow:established,to_server; http.method; content:"GET"; http.uri; pcre:"/\/[a-z0-9]{1,31}\.bin$/"; http.header; content:!"AskTbARS"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!".passport.net"; endswith; content:!".microsoftonline-p.net"; endswith; content:!".symantec.com"; endswith; content:!".qq.com"; endswith; content:!"aocdn.net"; content:!"kankan.com"; endswith; content:!"conf.v.xunlei.com"; endswith; content:!"burstek.com"; endswith; http.request_line; content:".bin HTTP/1."; fast_pattern; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept-Language|0d 0a|"; classtype:trojan-activity; sid:2018052; rev:11; metadata:created_at 2014_02_01, confidence Medium, signature_severity Major, updated_at 2021_09_21;)