alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WikiLoader Activity M2 (GET)"; flow:established,to_server; flowbits:set,ET.wikiloader; http.method; content:"GET"; http.uri; content:".php?id=2"; fast_pattern; endswith; http.header_names; content:"|0d 0a|Accept|0d 0a|Cookie|0d 0a|"; startswith; content:!"Referer"; http.user_agent; content:"Intel Mac OS X"; reference:url,www.proofpoint.com/us/blog/threat-insight/out-sandbox-wikiloader-digs-sophisticated-evasion; reference:url,app.any.run/tasks/f98aa2c5-deae-408a-8e86-530e7961dfb6/; reference:md5,f69b31ef39887d6e04d4e972d69bd450; classtype:trojan-activity; sid:2046970; rev:1; metadata:attack_target Client_Endpoint, created_at 2023_07_31, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_07_31; target:src_ip;)