alert http $HOME_NET any -> any 3100 (msg:"C2 VoidLink bootstrap fetch, token-shape key (EXPERIMENTAL)"; \
flow:to_server,established; \
http.method; content:"GET"; \
http.uri; content:"/api/bootstrap-install-script?key="; pcre:"/[?&]key=[A-Za-z0-9_-]{54}(?:&|$)/"; \
classtype:trojan-activity; sid:1000231013; rev:2; \
metadata:created_at 2026-06-08, confidence Medium;)Egress · TCP/3100 · SID 1000231013
Experimental, tighter variant of 1000231010. The enrolment token is a 54-character base64url string (`base64url(40 random bytes)`, no padding; redacted shape `xxxxxxx_xxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxx`; the two underscores are part of the base64url alphabet). This rule keeps the endpoint anchor and adds a PCRE asserting the `key=` value is exactly 54 base64url chars, so it confirms both the endpoint and the token shape and still fires if the operator rotates the token value. Pin the destination to known VoidLink C2 IPs for production use.