alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible OwlProxy activity M3"; flow:established,to_server; http.uri; content:"/pp/s?pa="; fast_pattern; reference:url,unit42.paloaltonetworks.com/rare-possible-gelsemium-attack-targets-se-asia; reference:url,www.telsy.com/microsoft-exchange-servers-backdoored-with-owlproxy-fuscom-dll; classtype:trojan-activity; sid:2048237; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, created_at 2023_09_25, deployment Perimeter, deployment Internal, deployment SSLDecrypt, malware_family OwlProxy, performance_impact Low, confidence Low, signature_severity Major, updated_at 2023_09_25, reviewed_at 2023_09_25; target:dest_ip;)