alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP W32/Stan Malvertising.Dropper CnC Beacon"; flow:established,to_server; urilen:>50; http.method; content:"GET"; http.uri; pcre:"/^\/[a-f0-9]{50,}$/"; http.header; content:"Proxy-Authorization|3a 20|Basic"; http.host; content:"stan|2E|"; fast_pattern; startswith; http.header_names; content:!"Accept-"; content:!"Referer|0d 0a|"; reference:url,blogs.cisco.com/security/kyle-and-stan/; classtype:pup-activity; sid:2019145; rev:5; metadata:attack_target Client_Endpoint, created_at 2014_09_10, deployment Perimeter, signature_severity Minor, tag c2, updated_at 2020_10_12, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)