alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Upatre Redirector Jan 9 2015"; flow:established,to_server; flowbits:set,ET.Upatre.Redirector; http.method; content:"GET"; http.uri; content:".js?"; fast_pattern; content:".js"; endswith; distance:30; pcre:"/\d\.js\?[a-zA-Z0-9]{7,16}=[^&]+(?:&[a-zA-Z0-9]{7,16}=[^&]+){3}\.js$/"; http.referer; content:".html"; endswith; classtype:trojan-activity; sid:2020159; rev:8; metadata:created_at 2015_01_09, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_04;)