alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32.Chroject.B Requesting ClickFraud Commands from CnC"; flow:to_server,established; flowbits:set,ET.Chroject; http.method; content:"GET"; http.uri; content:!"."; content:"/"; offset:1; content:"="; distance:0; pcre:"/^\/[a-z_-]+\/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)$/"; http.user_agent; content:"|20|like Gecko|29 20|Chrome/"; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; http.header_names; content:"|0d 0a|Host|0d 0a|"; depth:8; content:!"Referer"; reference:md5,586ad13656f4595723b481d77b6bfb09; classtype:command-and-control; sid:2020747; rev:10; metadata:created_at 2015_03_25, performance_impact Significant, signature_severity Major, updated_at 2024_04_08;)