alert http any any -> any any (msg:"TOOLS [PTsecurity] Sliver C2. HTTP Polling. Encoders FB"; flow:established, to_server; http.method; content:"GET"; http.uri; pcre:"/\?[a-z_]=[a-z0-9_]{7,14}$/U"; http.header.raw; content:"Cookie"; nocase; content:"Accept-Encoding|3A| gzip|0d 0a|"; nocase; http.cookie; pcre:"/^[a-zA-Z0-9\-]*?=[0-9a-f]{32}$/C"; flowbits:set, Sliver.HTTP.Encoders; noalert; reference:url, github.com/BishopFox/sliver; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10008545; rev:3;)