alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE perlb0t/w0rmb0t Response 2"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"|3A 02 03|4|5B|"; content:"|03 02|"; within:32; pcre:"/\x3A\x02\x034\x5B(BackConnect|help|HTTP.*|SCAN|TCP.*|UDP.*|VERSION)\x5D\x03\x02/i"; classtype:trojan-activity; sid:2006911; rev:8; metadata:created_at 2010_07_30, signature_severity Major, updated_at 2019_07_26;)