alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible UPSTYLE Payload Retrieval Attempt"; flow:established,to_client; http.stat_code; content:"200"; file.data; content:"systempth|20 3d 20 22|/usr/lib/python3.6/site-packages/system.pth|22|"; fast_pattern; content:"import base64|3b|exec|28|base64.b64decode"; within:100; content:"|22|/opt/pancfg/mgmt/licenses/PA_VM|60 2a 22|"; distance:0; reference:url,www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/; reference:url,unit42.paloaltonetworks.com/cve-2024-3400/; reference:md5,0c1554888ce9ed0da1583dbdf7b31651; classtype:trojan-activity; sid:2052025; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_04_12, cve CVE_2024_3400, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Low, signature_severity Major, updated_at 2024_04_12; target:src_ip;)