alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE TA577 Style Request (2023-05-15)"; flow:established,to_server; flowbits:set,ET.TA557.20230515.Request; http.method; content:"GET"; urilen:10<>16; http.uri; content:"/"; startswith; content:"/?2"; offset:3; depth:5; fast_pattern; isdataat:!8,relative; content:!"|2e|"; content:!"&"; pcre:"/^\/(?!(?:h(?:elp|tml)|a(?:ch|ds)|blog|goto|item|site|user|en))(?:[A-IL-VX]{2,4}|[a-il-vx]{2,4})\/\?2[0-9]{4,7}$/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; nocase; http.host; content:!"ebby.com"; content:!"attsuppliers.com"; content:!"rittal.com"; classtype:trojan-activity; sid:2048247; rev:3; metadata:attack_target Client_and_Server, created_at 2023_09_26, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Major, tag TA577, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_12_13, reviewed_at 2023_09_26; target:src_ip;)