alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Possible ASPROX Download URI Struct June 19 2014"; flow:established, to_server; content:"GET"; http_method; content:".php?"; http_uri; fast_pattern:only; content:!"=aHR0cD"; http_uri; content:"User-Agent|3a|"; http_header; content:!"|0d 0a|Referer|3a|"; http_header; pcre:"/\/[a-z]{2,9}\.php\?(?:[a-z0-9]{2,4}|[cktw])=[a-zA-Z0-9\x2b\x2f\x5c]{43,56}=?$/U"; classtype:trojan-activity; sid:2018589; rev:6; metadata:created_at 2014_06_20, signature_severity Unknown, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)