alert http $HOME_NET any -> $EXTERNAL_NET 80 (msg:"🐾 - 🚨 Malicious public IP lookup from RAT - possible Quasar / Azorult / VoidRat - T1016.001"; flow:to_server,stateless; http.user_agent; content:"Mozilla/5.0 (Windows NT 6.3|3b 20|rv|3a|48.0) Gecko/20100101 Firefox/48.0"; http.host; content:"ip-api.com"; endswith; http.method; content:"GET"; urilen:6; http.uri; content:"/json/"; endswith; fast_pattern; http.connection; content:"Keep-Alive"; endswith; target:src_ip; metadata:attack_target Client_Endpoint, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1016.001, mitre_technique_name System_Network_Configuration_Discovery-Internet_Connection_Discovery, former_category MALWARE, malware_family Qasar_Rat, malware_family AZORult, malware_family VoidRat, signature_severity Major, created_at 2025_01_04, updated_at 2025_01_04; sid:3321410; rev:1; classtype:trojan-activity;)