This signature is mostly looking for a delimiter that appears in recent Gamareddon activity to trycloudflare domains (they used similar characters in http URIs in previous campaigns and I don’t think any legitimate user agent has ::/. in it and the trycloudflare should limit it further).
This would require TLS decryption to see the traffic.
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET MALWARE Gamaredon.APT TryCloudFlare Activity With User Agent Delimiter”; flow:established,to_server; http.host; content:“.trycloudflare.com”; http.user_agent; content:“|3A 3A|/.”; reference:url,go.recordedfuture.com/hubfs/reports/cta-ru-2024-1205.pdf; classtype:trojan-activity; sid:152131; rev:1;)
Kind Regards,
Kevin Ross