alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE KeyBase Keylogger Checkin"; flow:to_server,established; http.method; content:"GET"; nocase; http.uri; content:".php?type=notification&machinename="; fast_pattern; content:"&machinetime="; http.header_names; content:!"User-Agent|0d 0a|"; reference:md5,fa6f24a18ef772d9cdaa1d6cd1e24d1b; reference:url,researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/; classtype:command-and-control; sid:2021188; rev:4; metadata:created_at 2015_06_05, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_01;)