alert http any any -> any 80 (msg:"ET CURRENT_EVENTS Win32.RBrute http server request"; flow:to_server,established; flowbits:set,ET.Rbrute.incoming; http.user_agent; content:"BlackBerry9000/5.0.0.93 Profile/MIDP-2.0 Configuration/CLDC-2.1 VendorID/831"; fast_pattern; nocase; reference:md5,f8ff430aee52da3b4b1759700be9aead; reference:url,www.welivesecurity.com/2014/04/02/win32sality-newest-component-a-routers-primary-dns-changer-named-win32rbrute/; classtype:trojan-activity; sid:2018355; rev:5; metadata:created_at 2014_04_04, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_23;)