alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Popwin Checkin"; flow:to_server,established; http.uri; content:"/soft/xiaomi"; fast_pattern; content:".asp"; distance:0; http.user_agent; content:"API-Guide test program"; depth:22; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,dd762c69049fbd00c22f70f109baa26e; classtype:command-and-control; sid:2018143; rev:8; metadata:created_at 2014_02_15, signature_severity Major, updated_at 2020_10_28;)