alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SeaDuke CnC Beacon"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".php"; endswith; http.header; content:"Accept-Encoding|3a 20|identity|0d 0a|Host|3a 20|"; startswith; fast_pattern; http.cookie; pcre:"/^[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+(?:\x3b\x20[a-zA-Z0-9_-]{2,6}=[a-zA-Z0-9_-]+){1,6}={0,2}?$/"; http.header_names; content:!"|0d 0a|Accept|0d 0a|"; reference:md5,a25ec7749b2de12c2a86167afa88a4dd; reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/; classtype:targeted-activity; sid:2021413; rev:6; metadata:attack_target Client_Endpoint, created_at 2015_07_15, deployment Perimeter, performance_impact Moderate, signature_severity Major, tag c2, updated_at 2024_04_06, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)