alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Mutter Backdoor Checkin"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/index.aspx?i="; fast_pattern; http.header; pcre:"/^(Host\x3a [^\r\n]+?\r\nConnection\x3a Keep-Alive|Connection\x3a Keep-Alive\r\nHost\x3a [^\r\n]+?)\r\n(\r\n)?$/i"; reference:url,fireeye.com/blog/technical/malware-research/2013/04/the-mutter-backdoor-operation-beebus-with-new-targets.html; classtype:command-and-control; sid:2016773; rev:5; metadata:created_at 2013_04_19, signature_severity Major, updated_at 2020_10_08;)