alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Bandit Stealer Config Inbound"; flow:established,to_client; content:"|23 20|The|20|list|20|of|20|blacklisted|20|IP|20|addresses|20|and|20|MAC|20|addresses"; fast_pattern; content:"blackListedIPS|20 3d 20 5b|"; content:"blackListedMacs|20 3d 20 5b|"; content:"blacklisted|20 5f|users|20 3d 20 5b|"; content:"blackListedPCNames|20 3d 20 5b|"; content:"blacklisted|20 5f|processes|20 3d 20 5b|"; reference:url,www.zscaler.com/blogs/security-research/technical-analysis-bandit-stealer; classtype:trojan-activity; sid:2049122; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_11_08, deployment Perimeter, deployment SSLDecrypt, malware_family Bandit_Stealer, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_11_08, reviewed_at 2023_11_08;)