Rule History

alert smb $HOME_NET any -> $HOME_NET 445 (msg: "SPYWARE [PTsecurity] Buhtrap"; flow: established, to_server, no_stream; content: "SMB"; content: "|05 00|"; distance: 8; within: 2; content: ".|00|e|00|x|00|e|00|"; nocase; distance: 96; pcre: "/([0-9A-F]\x00){8,15}\x2e\x00e\x00x\x00e\x00/"; flowbits: isset, Pegasus.arch_probe; reference: url, rules.ptsecurity.com; classtype: trojan-activity; sid: 10003309; rev: 3;)