alert tcp any any -> any any (msg:"BOTNET [PTsecurity] RustoBot Initial Connection"; flow:established, to_server; stream_size:server, =, 1; dsize:< 25; content:"|01 3a|"; depth:2; fast_pattern; pcre:"/\:\d\:(true|false)\:\d{4}/"; reference:url, bi.zone/expertise/blog/zloumyshlenniki-ekspluatiruyut-uyazvimost-cve-2025-55182-v-atakakh-na-rossiyskie-kompanii/; reference:url, app.any.run/tasks/27847b7d-0c4e-4313-9daf-d3ae2ba84cfc; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10016259; rev:1;)