#alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg: "BLEEDING-EDGE WORM General MSN Worm URL Outbound"; flow: established,to_server; content:".php?"; nocase; content:"email="; nocase; within: 5; content:"@"; nocase; within: 20; reference:url,isc.sans.org/diary.php?date=2005-04-13; classtype: attempted-admin; sid: 2001878; rev:5; )