alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NamelessC2 Implant Terminal Checkin"; flow:established,to_server; urilen:5; http.method; content:"GET"; http.uri; content:"/info"; http.header_names; bsize:18; content:"|0d 0a|accept|0d 0a|host|0d 0a 0d 0a|"; fast_pattern; http.accept; bsize:3; content:"|2a 2f 2a|"; reference:url,github.com/trickster0/NamelessC2; classtype:command-and-control; sid:2056414; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2024_10_02, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Critical, updated_at 2024_10_02;)