alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/Zbot.Variant CnC Response"; flow:established,from_server; flowbits:isset,ET.zbot.ua.2106509; http.stat_code; content:"200"; http.header; content:"Content-Length|3a| 0|0d 0a|Content-Type|3a| text/html|0d 0a|"; fast_pattern; http.header_names; content:"Content-Type|0d 0a 0d 0a|"; endswith; reference:md5,0c4d7d9138de7d7919e3b3c33ac2f851; classtype:command-and-control; sid:2018764; rev:6; metadata:created_at 2013_04_26, performance_impact Moderate, signature_severity Major, updated_at 2024_04_08;)