alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Possible Successful Websocket Credential Phish Sep 15 2017"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"&transport=websocket&sid="; fast_pattern; http.header; content:"Sec-WebSocket-Version|3a 20|13|0d 0a|"; content:"Sec-WebSocket-Extensions|3a 20|permessage-deflate"; content:"Sec-WebSocket-Key|3a 20|"; content:"Upgrade|3a 20|websocket"; content:"origin|3a 20|"; pcre:"/^[^\r\n]+(?:s(?:e(?:rvic|cur)e|c(?:otia|ure)|antander|ign\-?in|napchat)|c(?:h(?:eck(?:out)?|a(?:in|se))|ustomer|onfirm|loud)|p(?:ay(?:pa[il]|ment)|(?:hon|ost)e|rivacy)|i(?:n(?:terac|sta)|cloud|phone|tunes)|re(?:solution|covery|fund|port|dir)|a(?:pp(?:id|le)|ccount|mazon)|n(?:otification|etflix|terac)|l(?:o(?:cked|gin)|imited)|(?:etransf|twitt|ord)er|d(?:ocusign|ropbox)|f(?:acebook|orgot)|veri(?:tas|f)|upd(?:ate|t)|yahoo|bofa|hmrc)/Ri"; http.cookie; content:"connect.sid="; content:"io="; classtype:credential-theft; sid:2025001; rev:4; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2017_09_14, deployment Perimeter, confidence Medium, signature_severity Critical, tag Phishing, updated_at 2020_10_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1566, mitre_technique_name Phishing;)