alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET MALWARE Possible Upatre Downloader SSL certificate (fake loc)"; flow:established,from_server; tls.certs; content:"|06 03 55 04 07|"; pcre:"/^.{2}(?P<fake_loc>([asdfgh]+|[qwerty]+|[zxcvbn]+|[23werf]+)[01]).+?\x06\x03\x55\x04\x07.{2}(?P=fake_loc)/Rs"; classtype:trojan-activity; sid:2018457; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2014_05_09, deployment Perimeter, deprecation_reason Performance, malware_family Upatre, performance_impact Significant, confidence Medium, signature_severity Critical, tag SSL_Malicious_Cert, tag Exploit_Kit, tag Downloader, tag Upatre, updated_at 2024_07_02, reviewed_at 2024_03_06;)