alert tcp any any -> any $HTTP_PORTS (msg:"🐾 - 🔥👁 FireEye - Backdoor.HTTP.BEACON.[CSBundle Original GET]"; content:"GET"; depth:3; content:"Accept: */*|0d 0a|"; content:"Accept-Language: en-US|0d 0a|"; content:"Accept-Encoding: gzip, deflate|0d 0a|"; content:"Cookie:"; content:"display-culture=en\;check=true\;lbcs=0\;sess-id="; distance:0; content:"\;SIDCC=AN0-TY21iJHH32j2m\;FHBv3=B"; pcre:"/^GET\s(?:\/api2\/json\/access\/ticket|\/api2\/json\/cluster\/resources|\/api2\/json\/cluster\/tasks|\/en-us\/p\/onerf\/MeSilentPassport|\/en-us\/p\/book-2\/8MCPZJJCC98C|\/en-us\/store\/api\/checkproductinwishlist|\/gp\/cerberus\/gv|\/gp\/aj\/private\/reviewsGallery\/get-application-resources|\/gp\/aj\/private\/reviewsGallery\/get-image-gallery-assets|\/v1\/buckets\/default\/ext-5dkJ19tFufpMZjVJbsWCiqDcclDw\/records|\/v3\/links\/ping-centre|\/v4\/links\/activity-stream|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-content\/themes\/am43-6\/dist\/records|\/wp-includes\/js\/script\/indigo-migrate)/"; reference:url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference:url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference:url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309567; rev:1; classtype:trojan-activity;)