alert tcp any any -> any any (msg:"SHELL [PTsecurity] Meterpreter Checkin"; flow:established, to_server; dsize:397; stream_size:server, >, 1024; stream_size:client, =, 398; content:!"|00 00 00 00|"; depth:112; byte_extract:1, 0, first; byte_test:1, !=, first, 1; byte_test:1, !=, first, 2; byte_extract:3, 0, pattern; byte_test:3, !=, pattern, 4; byte_test:3, =, pattern, 20; byte_test:3, =, pattern, 28; byte_test:3, =, pattern, 32; byte_test:3, =, pattern, 56; byte_test:3, =, pattern, 64; byte_test:3, =, pattern, 68; byte_test:3, =, pattern, 108; reference:url, https://www.virustotal.com/gui/file/13617156919d3ef0243d66b21e041635ac158b8aa73ace383c383db74db422fd/detection; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10011768; rev:3;)