alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Bedep Connectivity Check M2"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; nocase; http.host; content:"www.ecb.europa.eu"; bsize:17; http.accept; content:"text/html, application/xhtml+xml, */*"; http.header; pcre:"/^(?:Connection\x3a[^\r\n]+\r\n)?Accept\x3a[^\r\n]+\r\n(?:Accept-Encoding\x3a[^\r\n]+\r\n)?Accept-Language\x3a[^\r\n]+\r\n(?:Referer\x3a[^\r\n]+[^\r\n]*?\r\n)?User-Agent\x3a[^\r\n]+(?: MSIE |rv\x3a11)/i"; classtype:trojan-activity; sid:2022467; rev:3; metadata:created_at 2016_01_28, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_06_18;)