alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Chinad Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/api/?a="; depth:8; fast_pattern; http.host; pcre:"/^(?:\d{1,3}\.){3}\d{1,3}$/"; reference:url,blog.malwarebytes.org/intelligence/2015/06/unusual-exploit-kit-targets-chinese-users-part-2; reference:md5,5a454c795eccf94bf6213fcc4ee65e6d; classtype:command-and-control; sid:2021262; rev:3; metadata:created_at 2015_06_13, malware_family Win32_Chinad, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_22;)