alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow:to_client,established; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; nocase; within:40; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; classtype:trojan-activity; sid:2002029; rev:11; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)