alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE EtumBot Ping"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/history/"; fast_pattern; depth:9; content:".asp"; pcre:"/^\x2fhistory\x2f[A-Za-z0-9+_-]+\x2easp$/i"; http.user_agent; content:"Mozilla/5.0 |28|compatible|3b 20|MSIE 8.0|3b 20|Windows NT 6.1|3b 20|Trident/5.0|29 |"; depth:63; endswith; http.referer; content:"http|3a|//www.google.com/"; startswith; reference:url,www.arbornetworks.com/asert/2014/06/illuminating-the-etumbot-apt-backdoor/; reference:md5,ca838b98ca0f516858a8a523dcd1338d; classtype:trojan-activity; sid:2018547; rev:5; metadata:created_at 2014_06_09, signature_severity Major, updated_at 2020_10_14;)