alert http $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET MALWARE Possible Raspberry Robin Activity M2 (GET)"; flow:established,to_server; urilen:39<>59; http.method; content:"GET"; http.uri; content:!"|2e|"; http.header; content:"Connection|3a 20|Keep|2d|Alive|0d 0a|Accept|3a 20 2a 2f 2a 0d 0a|User|2d|Agent|3a 20|Windows|20|Installer|0d 0a|Host|3a 20|"; startswith; fast_pattern; http.header_names; content:"|0d 0a|Connection|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host|0d 0a 0d 0a|"; bsize:42; reference:md5,f5e6ffec3c33e9c84e11d6101d181c4e; reference:md5,131243c786a2efed6e7f35dabfef4be8; reference:md5,b7d6f079a6b084c1c8293ab4cd54b585; reference:md5,d1993684f055e9cfd964d35952f570f8; reference:md5,3329ad32799c142d6cd5e7f6a1dff755; reference:url,twitter.com/BushidoToken/status/1646855931945205763; reference:url,redcanary.com/blog/raspberry-robin; classtype:trojan-activity; sid:2045212; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_04_27, deployment Perimeter, performance_impact Low, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_27; target:src_ip;)