alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED IRC channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; classtype:trojan-activity; sid:2002385; rev:16; metadata:created_at 2010_07_30, signature_severity Unknown, updated_at 2019_07_26;)