#alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg: "BLEEDING-EDGE WORM General MSN Worm URL Attempt"; flow: established,from_server; content:".php?"; nocase; content:"email="; nocase; within: 5; content:"@"; nocase; within: 20; reference:url,isc.sans.org/diary.php?date=2005-04-13; classtype: attempted-admin; sid: 2001247; rev:6; )