alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Suspected Golang/Zerobot Websocket Activity (GET)"; flow:established,to_server; http.request_line; content:"GET /handle HTTP/1.1"; fast_pattern; http.user_agent; content:"Go-http-client/1.1"; bsize:18; http.header; content:"Upgrade|3a 20|websocket|0d 0a|"; endswith; reference:url,www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities; reference:md5,62c11ea75e82611b6ba7d7bf08ed009f; classtype:trojan-activity; sid:2042943; rev:1; metadata:attack_target Client_Endpoint, created_at 2022_12_15, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_12_15; target:src_ip;)