alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Ponmocup HTTP Request (generic) M7"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 600; http.header; content:"Pragma|3a 20|no-cache|0d 0a|"; content:"Cache-Control|3a 20|no-cache|0d 0a|"; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; content:"7"; fast_pattern; startswith; http.cookie; content:"="; pcre:"/^[a-z0-9_-]{300,}/Ri"; http.accept; content:"*/*"; depth:3; endswith; http.connection; content:"Close"; depth:5; endswith; http.header_names; pcre:"/\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a(?:Cache\-Control|Connection|Pragma)\x0d\x0a/"; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blog.Fox-IT.com/2015/12/02/ponmocup-a-giant-hiding-in-the-shadows; classtype:trojan-activity; sid:2022203; rev:6; metadata:created_at 2015_12_02, performance_impact Significant, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_05_01;)