alert http any any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/k.php?h="; startswith; http.user_agent; content:"ballsack"; startswith; fast_pattern; http.header_names; content:!"|0d 0a|Accept|0d 0a|"; content:!"|0d 0a|Referer|0d 0a|"; reference:url,isc.sans.edu/forums/diary/More+Device+Malware+This+is+why+your+DVR+attacked+my+Synology+Disk+Station+and+now+with+Bitcoin+Miner/17879; classtype:trojan-activity; sid:2018344; rev:5; metadata:created_at 2014_04_02, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_02;)