alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Andariel Backdoor Activity (Checkin)"; flow:established,to_server; content:"HTTP|20|1.1|20|/member.php="; fast_pattern; startswith; content:"SSL3."; distance:0; reference:url,threatray.com/blog/establishing-the-tigerrat-and-tigerdownloader-malware-families/; classtype:command-and-control; sid:2034837; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_12_22, deployment Perimeter, malware_family Andariel, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_12_22;)