alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE SIDESHOW CnC Authentication Over HTTP"; flow:established,to_server; http.uri; content:"1"; startswith; content:"=pAJ9dk4OVq85jxKWoNfw1AG2C&"; distance:0; fast_pattern; content:"="; distance:0; pcre:"/[0-9a-f]{16}$/Ri"; reference:md5,abd91676a814f4b50ec357ca1584567e; reference:url,www.mandiant.com/resources/blog/lightshow-north-korea-unc2970; classtype:command-and-control; sid:2044600; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_03_14, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_14;)