alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/BumbleBee Loader Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /gate HTTP/1.1"; http.user_agent; content:"bumblebee"; bsize:9; fast_pattern; http.request_body; content:"|22|client_id|22|"; content:"|22|group_name|22|"; distance:0; content:"|22|sys_version|22|"; distance:0; content:"User name|3a 20|"; distance:0; reference:md5,555b77d23549e231c8d7f0b003cc5164; reference:md5,3f34d94803e9c8bc0a9cd09f507bc515; classtype:trojan-activity; sid:2035387; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_03_03, deployment Perimeter, deployment SSLDecrypt, malware_family Bumblebee_Loader, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_03;)