alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE PyRation Variant - Action Sent to Client"; flow:established,to_client; content:"|22|action|22 2c 7b 22|action|5f|number|22 3a|"; fast_pattern; content:"|22|file|5f|data|22 3a|"; within:200; reference:url,www.stratosphereips.org/blog/2024/2/23/analysis-and-understanding-of-malware-of-the-pyration-family; reference:url,github.com/stratosphereips/Malware-CC-Recovery/blob/main/README.md; reference:md5,67e77dcdbf046a0fd91a0bbb3e807831; classtype:command-and-control; sid:2051080; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2024_02_26, deployment Perimeter, malware_family PyRation, performance_impact Low, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_26; target:dest_ip;)