alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected APT15/NICKEL KETRUM CnC Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".aspx?id="; http.accept; content:"text/html,text/xml,application/xhtml+xml,application/xml|3b|q=0.9,*/*|3b|q=0.8"; fast_pattern; content:"*/*"; distance:0; http.accept_lang; content:"q=0.8,en|3b|q=0.7"; http.header; content:!"Referer"; content:!"User-Agent"; reference:md5,278ac5d64e21a1ab63ec2c590a803253; classtype:command-and-control; sid:2030208; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_05_22, deployment Perimeter, malware_family APT15, performance_impact Low, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_22;)