alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DDoS.XOR Checkin via HTTP"; flow:established,to_server; http.user_agent; content:"MSIE 6.0|3b 20|Windows NT 5.2|3b 20|SV1|3b 20|TencentTraveler|20 3b 20|.NET CLR 1.1.4322"; fast_pattern; reference:md5,d818d056bbf7e227151d40c8bd539976; reference:url,blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf; classtype:command-and-control; sid:2021336; rev:6; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2015_06_24, deployment Perimeter, malware_family DDoS_XOR, performance_impact Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_25;)