alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE OSX/ZuRu Activity (POST)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/u.php?id="; startswith; fast_pattern; http.user_agent; content:"curl/"; startswith; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/"; reference:url,objective-see.com/blog/blog_0x66.html; reference:md5,2786ebc3b917866d30e622325fc6f5f3; classtype:trojan-activity; sid:2033965; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_09_16, deployment Perimeter, malware_family OSX_ZuRu, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_09_16;)