alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Malicious Chrome Extension Click Fraud Activity via Websocket"; flow:established,to_client; content:"|7b 22|id|22 3a|"; within:10; content:"|2c 22|data|22 3a 7b 22|method|22 3a 22|GET|22 2c 22|url|22 3a 22|"; distance:0; content:"|22 2c 22|headers|22 3a 7b 22|"; distance:0; content:"|2c 22|timeout|22 3a|30000|2c 22|body|22 3a 22|"; distance:0; fast_pattern; threshold:type both, track by_dst, count 1, seconds 120; reference:url,www.icebrg.io/index.php?p=blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses; reference:url,www.icebrg.io/blog/more-extensions-more-money-more-problems; classtype:trojan-activity; sid:2025221; rev:3; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2018_01_18, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2019_07_26;)