alert http any any -> any any (msg:"TOOLS [PTsecurity] Sliver C2 HTTP Polling (English)"; flow:established, from_server; http.header; content:"Content-Type|3A| text/plain|3B| charset=utf-8|0d 0a|"; nocase; content:!"Content-Encoding"; nocase; http.response_body; pcre:"/^(?:[A-Z]{2,20}\s?){40,}$/Q"; flowbits:isset, Sliver.HTTP.Encoders; threshold:type limit, track by_src, count 1, seconds 300; reference:url, github.com/BishopFox/sliver; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10008548; rev:3;)