alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PyRation Variant - Command Sent to Client"; flow:established,to_client; content:"|5b 22|command|22 2c 7b 22|hi|22 3a 22|"; fast_pattern; content:"|22|id|22 3a|"; within:100; reference:url,www.stratosphereips.org/blog/2024/2/23/analysis-and-understanding-of-malware-of-the-pyration-family; reference:url,github.com/stratosphereips/Malware-CC-Recovery/blob/main/README.md; reference:md5,67e77dcdbf046a0fd91a0bbb3e807831; classtype:command-and-control; sid:2051079; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2024_02_26, deployment Perimeter, malware_family PyRation, performance_impact Low, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_26; target:dest_ip;)