alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE ELF/crond CnC Request (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/api/buffalo_"; startswith; fast_pattern; content:"|2e|txt"; endswith; http.user_agent; content:"curl"; reference:url,x.com/malwrhunterteam/status/1826882222323794335; reference:md5,d13254b450e9c45b86f0972eb3a10608; classtype:trojan-activity; sid:2055467; rev:1; metadata:affected_product Linux, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_08_23, deployment Perimeter, malware_family ELF_crond, confidence High, signature_severity Critical, tag c2, updated_at 2024_08_23, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)