alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE IP Check With Minimal Headers and Custom User-Agent (Common Host Profiling Technique)"; flow:established,to_server; http.user_agent; bsize:11; content:"Mozilla/5.0"; http.header_names; bsize:22; content:"|0d 0a|user-agent|0d 0a|host|0d 0a 0d 0a|"; nocase; http.host; pcre:"/(?:iplocation\x2enet|ipcheck\x2eme|ipinfo\x2eio|ipconfig\x2eme|ipconfig\x2ees|extreme-ip-lookup|myexternalip\x2ecom|ip-api\x2ecom|ip\x2eify\x2eorg|checkip\x2edyndns\x2eorg)$/"; http.header; content:"user-agent|3a 20|mozilla/5.0|0d 0a|"; fast_pattern; nocase; reference:md5,e8637f4951132c74862952539b56edf7; classtype:trojan-activity; sid:2064028; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Mac_OSX, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_08_14, deployment Perimeter, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag c2, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_08_18, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1046, mitre_technique_name Network_Service_Discovery; target:src_ip;)