alert http $HOME_NET any -> any any (msg:"🐾 - 💀 HTTP Zerobot 🤖 🐧 script downloading (curl)"; flow:to_server, stateless; http.user_agent; content:"curl/"; nocase; http.uri; content:"/bins/zero."; fast_pattern; startswith; pcre:"/[a-z0-9]{3,}/i"; reference:url,https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; metadata:created_at 2022_12_07, updated_at 2022_12_07; sid:3300699; rev:2; classtype:trojan-activity;)