alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Winnti-related Destination"; flow:established,to_server; http.host; content:"microsoftsec.com"; fast_pattern; reference:url,401trg.pw/an-update-on-winnti/; classtype:trojan-activity; sid:2024859; rev:3; metadata:created_at 2017_10_18, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_13;)