Rule History

alert tcp any any -> any any (msg: "TOOLS [PTsecurity] xfreerdp/remmina RDP client"; flow: established, to_server, no_stream; content: "|03 00|"; depth: 2; content: "Duca"; distance: 0; content: "|01 C0|"; distance: 2; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|04 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|02 C0|"; within: 2; byte_jump: 2, 0, relative, little, post_offset -4; content: "|03 C0|"; within: 2; byte_extract: 2, 0, CLIENTNETWORKDATALEN, relative, little; isdataat: !CLIENTNETWORKDATALEN, relative; pcre: "/(?:^.{4}cliprdr.{5}$|^.{4}drdynvc.{5}$|^.{4}rdpdr.{7}rdpsnd.{6}(?:drdynvc.{5}$|cliprdr|$))/R"; reference: url, rules.ptsecurity.com; classtype: policy-violation; sid: 10005952; rev: 3;)