alert http any any -> any any (msg:"TOOLS [PTsecurity] Sliver C2 HTTP Polling (gzip)"; flow:established, from_server; http.header; content:"Content-Type|3A| application/x-gzip|0d 0a|"; nocase; content:!"Content-Encoding"; nocase; http.response_body; content:"|1f 8b|"; depth:2; flowbits:isset, Sliver.HTTP.Encoders; threshold:type limit, track by_src, count 1, seconds 300; reference:url, github.com/BishopFox/sliver; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10008547; rev:2;)