alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server; http.uri; content:"/list.php?db="; fast_pattern; http.accept_lang; content:"ko-kr"; startswith; reference:url,blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html; classtype:command-and-control; sid:2016050; rev:4; metadata:attack_target Client_Endpoint, created_at 2012_12_18, deployment Perimeter, signature_severity Major, tag c2, updated_at 2020_04_22, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)