alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mint Stealer Data Exfiltration Server Response"; flow:established,to_client; flowbits:isset,ET.MintStealer.Exfil; http.stat_code; content:"200"; http.header; content:"X-Powered-By|3a 20|Express"; http.cookie; content:"connect.sid|3d|s"; startswith; fast_pattern; http.response_body; bsize:2; content:"OK"; reference:url,x.com/Gi7w0rm/status/1805182838473437312; reference:md5,e6e620e5cac01f73d0243dc9cf684193; classtype:trojan-activity; sid:2053839; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Windows_11, attack_target Client_and_Server, tls_state TLSDecrypt, created_at 2024_06_24, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Mint_Stealer, updated_at 2024_06_24; target:dest_ip;)