alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible APT28 Xtunnel Activity"; flow:established,to_server; http.method; content:"GET"; http.uri.raw; pcre:"/^\/(?:\w+\/){1,5}\?[a-z]{1,6}=[a-z0-9]{2,40}(?:&[a-z]{1,6}=(?:[a-z0-9]){1,40}(%3D){0,2}){1,4}$/i"; http.header; content:"deflate,sdch|0d 0a|Accept|3a 20|text|2f|html,application|2f|xhtml"; fast_pattern; http.user_agent; content:"Mozilla|2f|4.0|20 28|compatible|3b 20|MSIE|20|7.0"; http.connection; content:"Close"; http.header_names; content:!"Referer"; content:!"Cache"; classtype:targeted-activity; sid:2027405; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2019_05_30, deployment Perimeter, malware_family XTunnel, performance_impact Low, confidence Medium, signature_severity Major, tag APT, updated_at 2020_11_03;)