alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE BadSpace/WarmCookie CnC Activity (GET) M1"; flow:established,to_server; urilen:1; http.method; content:"GET"; http.uri; content:"|2f|"; http.user_agent; content:"Mozilla|20 2f 20|"; startswith; fast_pattern; content:"MSIE|20|6|2e|0|3b 20|Windows|20|NT|20|5|2e|1|3b 20|SV1|3b|"; distance:0; http.cookie; bsize:>100; pcre:"/^(?:[A-Za-z0-9\x2b\x2f\x3d]){100,}$/"; reference:url,community.emergingthreats.net/t/sigs-w32-badspace-backdoor/1630; reference:url,malware-traffic-analysis.net/2024/08/15/index.html; reference:url,community.emergingthreats.net/t/badspace-sigs/1898; classtype:trojan-activity; sid:2052557; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_05_13, deployment Perimeter, malware_family WARMCOOKIE, confidence Medium, signature_severity Major, tag c2, updated_at 2024_08_19, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol; target:src_ip;)