alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Glupteba CnC Checkin"; flow:established,to_server; http.method; content:"POST"; http.user_agent; content:"Go-http-client/"; nocase; http.content_type; content:"application/json"; bsize:16; http.request_body; content:"{|22|ip|22 3a 22|"; startswith; content:",|22|comment|22 3a 22|Opened "; fast_pattern; distance:0; content:"|22|,|22|status|22 3a|"; distance:0; reference:url,news.sophos.com/wp-content/uploads/2020/06/glupteba_final-1.pdf; reference:md5,ae353f4c6558996e3abc9c016dd86e2c; classtype:command-and-control; sid:2030437; rev:1; metadata:attack_target Client_Endpoint, created_at 2020_07_01, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_07_01;)