alert http any any -> any any (msg:"TOOLS [PTsecurity] Sliver C2 HTTP Polling (default headers)"; flow:established, to_server; http.method; content:"GET"; http.uri; pcre:"/\.js\?[a-z_]=[a-z0-9_]{7,14}$/U"; http.header; content:"Accept-Encoding|3A| gzip|0d 0a|"; nocase; content:"Accept|3A| text/html,application/xhtml+xml,application/xml|3B|q=0.9,image/avif,image/webp,image/apng,*/*|3B|q=0.8,application/signed-exchange|3B|v=b3|3B|q=0.9"; nocase; content:"Accept-Language|3A| en-US,en|3B|q=0.9|0d 0a|"; nocase; content:!"Content-Encoding"; nocase; http.cookie; pcre:"/^[a-zA-Z0-9\-]*?=[0-9a-f]{32}$/C"; threshold:type both, track by_src, count 5, seconds 600; reference:url, github.com/BishopFox/sliver; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10008542; rev:3;)