alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IRC Potential bot scan/exploit command"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"PRIVMSG|20|"; depth:8; content:"|3a|"; within:30; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|exploited|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; classtype:trojan-activity; sid:2002030; rev:16; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)