alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Putter Panda HTTPClient CnC HTTP Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/Microsoft"; nocase; content:"/default.asp"; distance:0; content:"?tmp="; fast_pattern; pcre:"/\/default\.aspx?\?tmp=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header_names; content:!"Referer|0d 0a|"; reference:url,resources.crowdstrike.com/putterpanda/; reference:md5,544fca6eb8181f163e2768c81f2ba0b3; classtype:command-and-control; sid:2018554; rev:6; metadata:created_at 2014_06_11, signature_severity Major, updated_at 2020_10_05;)