alert http $EXTERNAL_NET any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET MALWARE ELF/RedXOR CnC Response"; flow:established,from_server; http.stat_code; content:"200"; http.content_len; content:"00000"; startswith; http.header; content:"Total-Length|3a 20|00000"; fast_pattern; reference:url,www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/; classtype:command-and-control; sid:2031935; rev:1; metadata:affected_product Linux, attack_target Client_and_Server, created_at 2021_03_11, deployment Perimeter, malware_family RedXOR, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_03_11;)