alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Moose CnC Response"; flow:from_server,established; content:"PP|3b 20|expires="; fast_pattern; http.stat_code; content:"200"; http.cookie; content:"PHPSESSID="; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:0; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; distance:0; content:"PP|3b 20|expires="; distance:0; content:"WL="; content:"PP|3b 20|expires="; distance:0; http.content_type; content:"text/html"; startswith; file.data; content:"<html><body><h1>It works!</h1>"; nocase; depth:30; reference:url,gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/; classtype:command-and-control; sid:2023478; rev:4; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2016_11_02, deployment Perimeter, malware_family Linux_Moose, performance_impact Low, confidence High, signature_severity Major, updated_at 2020_10_07;)