alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BunnyLoader Initial Connection (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"|2e|php|3f|ipaddress|3d|"; fast_pattern; content:"&hostname="; distance:0; content:"&version="; distance:0; content:"&privileges="; distance:0; content:"&arch="; distance:0; content:"&antivirus"; distance:0; content:"&enc_key="; distance:0; reference:url,community.emergingthreats.net/t/new-signatures-bunnyloader/1468; reference:url,unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/; classtype:trojan-activity; sid:2051676; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2024_03_18, deployment Perimeter, malware_family BunnyLoader, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_18;)