alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Rerdom/Asprox CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/b/pkg/"; fast_pattern; pcre:"/^[A-Za-z0-9]{14,15}$/R"; reference:url,malware-traffic-analysis.net/2014/08/24/index.html; reference:url,www.damballa.com/wp-content/uploads/2014/11/Behind_Malware_Infection_Chain_Rerdom.pdf; classtype:command-and-control; sid:2019760; rev:4; metadata:attack_target Client_Endpoint, created_at 2014_11_20, deployment Perimeter, signature_severity Major, tag c2, updated_at 2020_08_18, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)