alert http $HOME_NET any -> any any (msg:"ET MALWARE DeerStealer Websocket Initial Request"; flow:established,to_server; http.method; content:"GET"; http.uri; bsize:2; content:"/c"; http.header_names; content:"|0d 0a|host|0d 0a|upgrade|0d 0a|connection|0d 0a|sec-websocket-version|0d 0a|sec-websocket-key|0d 0a 0d 0a|"; fast_pattern; nocase; http.header; content:!"user-agent|3a 20|"; nocase; reference:url,any.run/cybersecurity-blog/deerstealer-campaign-analysis/; classtype:trojan-activity; sid:2061600; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_04_15, deployment Perimeter, signature_severity Major, updated_at 2025_04_15; target:src_ip;)