alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MOBILE_MALWARE Android APT-C-23 (marklavi .com in TLS SNI)"; flow:established,to_server; tls.sni; content:"marklavi.com"; endswith; nocase; reference:url,www.symantec.com/blogs/expert-perspectives/ongoing-android-malware-campaign-targets-palestinians-part-2; classtype:targeted-activity; sid:2026146; rev:4; metadata:created_at 2018_09_19, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_16, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1583, mitre_technique_name Acquire_Infrastructure;)