alert http any any -> $HOME_NET any (msg:"ET RETIRED TA453 BellaCiao ASPX Backdoor User-Agent in HTTP Request"; flow:established,to_server; flowbits:set,ET.BellaCiao.UA; http.uri; content:".aspx"; endswith; http.user_agent; content:"ruby|40|123|21|"; startswith; fast_pattern; threshold:type limit, track by_src, count 1, seconds 180; reference:url,www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/; classtype:trojan-activity; sid:2045224; rev:3; metadata:affected_product Microsoft_IIS, attack_target Web_Server, created_at 2023_04_27, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category MALWARE, malware_family TA453, malware_family BellaCiao, performance_impact Low, confidence High, signature_severity Major, updated_at 2025_04_17, reviewed_at 2025_04_17; target:dest_ip;)