alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Scieron-A Checkin via HTTP POST"; flow:established,to_server; http.method; content:"POST"; http.uri; pcre:"/^\/\d+$/"; http.user_agent; content:"HTClient|3b|"; fast_pattern; startswith; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:!"|0d 0a|Accept"; reference:md5,15deb1167a383d20b4232503b2f22b24; reference:url,symantec.com/connect/blogs/scarab-attackers-took-aim-select-russian-targets-2012; classtype:command-and-control; sid:2020299; rev:4; metadata:created_at 2015_01_23, malware_family Win32_Scieron_A, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_10;)