alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Operation Interception Payload CnC Checkin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".asp"; endswith; fast_pattern; http.request_body; content:"F4"; offset:2; pcre:"/^[A-F0-9]{2}F4[A-F0-9]{2}0(?:1|2|3)[A-F0-9]{8}/"; reference:url,www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf; classtype:command-and-control; sid:2030377; rev:1; metadata:created_at 2020_06_22, deployment SSLDecrypt, performance_impact Moderate, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_06_22;)