alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET PHISHING Ferest Smuggler Request M1"; flow:established,to_server; http.uri; content:"/?"; content:"="; distance:32; within:1; content:"&"; distance:64; within:1; content:"&username="; fast_pattern; distance:64; within:10; content:"&"; distance:0; isdataat:!33,relative; pcre:"/\/\?(?P<variable>[a-zA-Z0-9]{32})=(?P=variable){2}\&(?P=variable){2}&username=(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{4}|[A-Za-z0-9+\/]{3}=|[A-Za-z0-9+\/]{2}={2})\&(?P=variable)$/"; reference:url,medium.com/@thrunter/cyberuptive-identifies-and-disrupts-ferest-smuggler-a-mass-credential-harvesting-campaign-22875c563854; classtype:credential-theft; sid:2047705; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2023_08_23, deployment Perimeter, deployment SSLDecrypt, malware_family Ferest_Smuggler, performance_impact Moderate, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_23, reviewed_at 2023_08_23; target:src_ip;)