alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP Potentially Unwanted Application AirInstaller CnC Beacon"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"/log/?"; fast_pattern; content:"="; distance:1; within:1; content:"&d="; distance:0; content:"&o="; content:"&r="; content:"&s="; content:"&t="; pcre:"/^\/(?:[^\x2f]+\/)*log\/\?[bc]=/"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,e89ec5e8f89ee6ae4a6b65157c886614; classtype:pup-activity; sid:2020701; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_03_17, deployment Perimeter, signature_severity Minor, tag c2, updated_at 2020_08_31, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)