alert tcp any any -> any $HTTP_PORTS (msg:"🐾 - 🔥👁 FireEye - Backdoor.HTTP.BEACON.[CSBundle NYTIMES GET]"; content:"GET"; depth:3; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US,en\;q=0.5"; content:"nyt-a="; content:"nyt-gdpr=0\;nyt-purr=cfh\;nyt-geo=US}"; fast_pattern; content:"|0d 0a|Cookie:"; pcre:"/^GET\s(?:\/ads\/google|\/vi-assets\/static-assets|\/v1\/preferences|\/idcta\/translations|\/v2\/preferences)/"; reference:url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference:url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference:url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309548; rev:1; classtype:trojan-activity;)