alert smtp $HOME_NET any -> $EXTERNAL_NET 587 (msg:"🐾 - 🚨 🐍 SnakeKeylogger ⌨ SMTP Exfiltration - T1048"; flow:to_server, stateless; content:"|45 48 4c 4f 20|"; content:"|53 75 62 6a 65 63 74 3a|"; content:"|50 63 20 4e 61 6d 65 3a 20|"; fast_pattern; pcre:"/.{1,15}[\|\/].{1,}/"; distance:0; reference:url,https://attack.mitre.org/techniques/T1048/; reference:url,https://x-junior.github.io/malware%20analysis/2022/06/24/Snakekeylogger.html; reference:url,https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger; reference:url,https://samples.vx-underground.org/Papers/Malware%20Defense/Malware%20Analysis/2024/2024-06-30%20-%20Deep%20Analysis%20of%20Snake%20(404%20keylogger).pdf; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1048, mitre_technique_name Exfiltration_Over_Alternative_Protocol, malware_family SnakeKeylogger, created_at 2024_08_14, updated_at 2024_08_14; sid:3321335; rev:1; classtype:targeted-activity;)