alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (Nosviak4 C2)"; flow:established,to_client; tls.cert_fingerprint; content:"97:28:b6:2d:f7:83:3e:72:56:a6:66:c6:1f:7d:0d:5b:fc:7e:59:7b"; reference:url,censys.com/pivoting-for-nosviak/; classtype:command-and-control; sid:2059672; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_01_27, deployment Perimeter, confidence High, signature_severity Major, tag c2, updated_at 2025_01_27, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol; target:src_ip;)