alert tls $HOME_NET any -> $EXTERNAL_NET 443 (msg:"🐾 - 🚨 OneStart suspicious Web browser for Windows 🪟 observed 🌐"; flow:to_server, stateless; ja3.hash; content:"74954a0c86284d0d6e1c4efefe92b521"; fast_pattern; tls_sni; content:"onestart.ai"; endswith; nocase; target:src_ip; reference:url,https://www.malwarebytes.com/blog/detections/pup-optional-onestart; metadata:signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, former_category MALWARE, malware_family OneStart, created_at 2025_03_14, updated_at 2025_03_14; sid:3321423; rev:1; classtype:targeted-activity;)