alert tcp any $HTTP_PORTS -> any any (msg:"🐾 - 🔥👁 FireEye - Backdoor.HTTP.BEACON.[CSBundle NYTIMES Server]"; content:"HTTP/1."; depth:7; content:"Accept-Ranges: bytes"; content:"Age: 5806"; content:"Cache-Control: public,max-age=31536000"; content:"Content-Encoding: gzip"; content:"Content-Length: 256398"; content:"Content-Type: application/javascript"; content:"Server: UploadServer"; content:"Vary: Accept-Encoding, Fastly-SSL"; content:"x-api-version: F-X"; content:"x-cache: HIT"; content:"x-Firefox-Spdy: h2"; content:"x-nyt-route: vi-assets"; content:"x-served-by: cache-mdw17344-MDW"; content:"x-timer: S1580937960.346550,VS0,VE0"; reference:url,https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html; reference:url,https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; reference:url,https://github.com/fireeye/red_team_tool_countermeasures; metadata:created_at 2020_12_11, updated_at 2020_12_11; sid:3309573; rev:1; classtype:trojan-activity;)