alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Win32/FireStealer Related Server Response"; flow:established,to_client; http.stat_code; content:"200"; http.server; content:"nginx"; bsize:5; http.content_type; content:"application/json|3b 20|charset=utf-8"; bsize:31; file.data; content:"|7b 22|status|22 3a 20 22|Success|22 2c 20 22|k|22 3a 20 22|"; startswith; fast_pattern; content:"|22 2c 20 22|c|22 3a 20|"; distance:0; reference:md5,03f80949b6a0d5148c4e0d0557175131; classtype:trojan-activity; sid:2051909; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2024_04_03, deployment Perimeter, malware_family Win32_FireStealer, confidence High, signature_severity Critical, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_03; target:dest_ip;)