alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Numinon CnC Activity via WebSockets"; flow:established,to_server; http.header_names; content:"|0d 0a|X-Punkin-Agent-ID|0d 0a|"; http.user_agent; content:"PunkinAgent/"; startswith; fast_pattern; reference:url,activecountermeasures.com/malware-of-the-day-multi-modal-c2-communication-numinon-c2/; classtype:trojan-activity; sid:2063441; rev:1; metadata:created_at 2025_07_14, signature_severity Unknown, updated_at 2025_07_14;)