alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SoakSoak Malware GET request"; flow:established,to_server; content:"GET"; http_method; content:"/xteas/code"; http_uri; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]+soaksoak\.ru/Hmi"; pcre:"/^\/xteas\/code$/U"; reference:url,blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html; classtype:trojan-activity; sid:2019939; rev:3; metadata:created_at 2014_12_16, signature_severity Major, updated_at 2019_07_26;)