alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"🐾 - 🔥👁 FireEye - Backdoor.HTTP.BEACON.[Yelp Request]"; flow:to_server; content:"T "; depth:5; content:" HTTP/1"; distance:0; within:256; content:"Cookie: hl=en|3b|bse="; distance:0; within:256; fast_pattern; content:"|3b|_gat_global=1|3b|recent_locations|3b|_gat_www=1|3b||0d 0a|"; pcre:"/Cookie: hl=en\x3bbse=(?:[A-Za-z0-9_\/\+\-]{128,1024})={0,2}\x3b_gat_global=1\x3brecent_locations\x3b_gat_www=1\x3b\r\n/"; reference:url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference:url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference:url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309563; rev:1; classtype:trojan-activity;)