alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Gamaredon CnC Activity (GET)"; flow:to_server,established; http.method; content:"GET"; http.uri; content:"|3a 3a|"; content:"?=Read"; endswith; fast_pattern; http.user_agent; content:"|3a 3a 2f 2e|"; content:"|2f 2e|"; endswith; http.accept_lang; content:"ru|2d|RU|2c|ru|3b|q|3d|0|2e|8|2c|en|2d|US|3b|q|3d|0|2e|6|2c|en|3b|q|3d|0|2e|4"; bsize:35; reference:url,scpc.gov.ua/api/docs/19b0a96e-8c31-44bf-863e-cd3e0b651f22/19b0a96e-8c31-44bf-863e-cd3e0b651f22.pdf; reference:url,unit42.paloaltonetworks.com/trident-ursa/#post-126209-_kwk9f3k7n6vn; classtype:trojan-activity; sid:2044127; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_02_06, deployment Perimeter, deployment SSLDecrypt, malware_family Win32_Gamaredon, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_02_08, reviewed_at 2023_11_17;)