alert tcp any any -> $HOME_NET any (msg:"🐾 - Backdoor.BEACON"; content:"HTTP/1."; depth:7; content:"Server: nginx/1.14.0 (Ubuntu)"; distance:0; content:"Connection: close"; distance:0; content:"Cache-Control: max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options: nosniff"; distance:0; content:"X-AspNetMvc-Version: 3.0"; distance:0; content:"X-AspNet-Version: 4.0.30319"; distance:0; content:"X-Powered-By: ASP.NET"; distance:0; content:"Content-Length: "; content:"|0d 0a|"; distance:6; within:4; reference:url,https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html; reference:url,https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-026/; reference:url,https://github.com/fireeye/sunburst_countermeasures; metadata:created_at 2020_12_19, updated_at 2020_12_19; sid:3309600; rev:1; classtype:trojan-activity;)