alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING Suspected Malicious Telegram Communication (POST)"; flow:established,to_server; pcre:"/^[\x20-\x7e\r\n]{0,20}[^\x20-\x7e\r\n]/P"; http.header; content:"|0d 0a|Accept-Language|3a 20|en-US,*|0d 0a|User-Agent|3a 20|Mozilla/5.0|0d 0a|Host|3a 20|"; fast_pattern; http.content_len; byte_test:0,=,40,0,string,dec; http.request_line; content:"POST /api HTTP/1.1"; depth:18; isdataat:!1,relative; http.content_type; content:"application/x-www-form-urlencoded"; depth:33; isdataat:!1,relative; http.header_names; content:"|0d 0a|Content-Type|0d 0a|Content-Length|0d 0a|Connection|0d 0a|Accept-Encoding|0d 0a|Accept-Language|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; depth:98; isdataat:!1,relative; reference:md5,fe5338aee73b3aae375d7192067dc5c8; reference:url,www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/; classtype:misc-activity; sid:2029634; rev:3; metadata:attack_target Client_Endpoint, created_at 2020_03_12, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_04_18;)