alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE FakeM RAT CnC Beacon"; flow:established,to_server; content:"<html><title>"; depth:13; content:"</title><body>"; within:48; content:!"</body>"; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; distance:0; reference:md5,3e008471eaa5e788c41c2a0dff3d1a89; classtype:command-and-control; sid:2014636; rev:5; metadata:attack_target Client_Endpoint, created_at 2012_04_25, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2019_07_26, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)