alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Zbot POST Request to C2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:".php"; http.header; content:"Accept|3a 20|*/*|0d 0a|User-Agent|3a 20|Mozilla"; depth:32; fast_pattern; pcre:"/(?:Proxy-)?Connection\x3a[^\r\n]+?\r\n(?:Pragma|Cache-Control)\x3a[^\r\n]+?\r\n(?:\r\n)?$/"; http.header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a|Content-Length|0d 0a|"; depth:44; content:!"Accept-"; content:!"Content-Type|0d 0a|"; content:!"Referer|0d 0a|"; reference:md5,c86f7ec18b78055a431f7cd1dca65b82; classtype:command-and-control; sid:2019141; rev:6; metadata:created_at 2014_09_09, performance_impact Moderate, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_08;)