alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE ELF/Muhstik Botnet CnC Activity"; flow:established,to_server; content:"NICK|20|"; content:"USER|20|"; content:"|3a|muhstik-"; fast_pattern; pcre:"/^[0-9]{8}$/Rm"; reference:md5,81fbe69a36650504b88756074a36c183; reference:md5,d20478a01344026a0ecd60b0b29e9bc1; reference:url,blog.netlab.360.com/threat-alert-log4j-vulnerability-has-been-adopted-by-two-linux-botnets/; classtype:command-and-control; sid:2034743; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, created_at 2021_12_15, deployment Perimeter, malware_family Muhstik, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_15;)