alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chinad Retrieving Config"; flow:to_server,established; urilen:22; http.method; content:"GET"; http.uri; content:"/css/bootstrap.min.css"; fast_pattern; http.header; pcre:"/^Host\x3a\x20(?:\d{1,3}\.){3}\d{1,3}\r\nCache-Control\x3a\x20no-cache\r\n(?:\r\n)?$/i"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:trojan-activity; sid:2021261; rev:5; metadata:created_at 2015_06_13, malware_family Win32_Chinad, performance_impact Significant, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_25;)