alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY W32/Installiq.Adware Install Information Beacon"; flow:established,to_server; http.uri; content:"/ping/installping.aspx"; fast_pattern; content:"shortname="; content:"&os="; content:"&parents="; content:"&browserNames="; content:"&DefaultBrowserName="; content:"&langid="; content:"&installdate="; http.header; content:".installiq.com|0d 0a|"; http.header_names; content:!"Referer|0d 0a|"; content:!"Accept|0d 0a|"; reference:md5,d28e9e62c83ef2308ddcdbad91fe9cb9; classtype:policy-violation; sid:2018210; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_03_05, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2020_09_23, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)