alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF.DES.Downloader Request"; flow:established,to_server; http.uri; content:"/ad.php?id="; fast_pattern; http.user_agent; bsize:118; content:"Mozilla/5.0 (Macintosh|3b 20|Intel Mac OS X 10_10_2) AppleWebKit/600.4.10 (KHTML, like Gecko) Version/8.0.4 Safari/600.4.10"; http.accept_lang; bsize:5; content:"en-us"; http.header; content:"Accept-Encoding|3a 20|deflate|0d 0a|"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|HOST|0d 0a|"; reference:url,blog.malwaremustdie.org/2015/06/mmd-0034-2015-new-elf.html; classtype:trojan-activity; sid:2021352; rev:5; metadata:created_at 2015_06_26, signature_severity Major, updated_at 2024_03_12;)