alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3"; flow:to_server,established; content:"|33 33|"; offset:2; depth:2; content:!"|33 33|"; within:2; content:"|33 33|"; distance:2; within:2; content:!"|33 33|"; within:2; content:"|33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33 33|"; pcre:"/[^\x33][^\x6f\x19\x18\x0e\x4f\x09\x08\x11\x0c\x0f\x0d\x1f\x10\x39][\x00-\x07\x0b\x0a\x1e\x1d\x12\x13\x15\x10\x1b\x1a\x54-\x5f\x50-\x52\x40-\x4b\x4d\x4e\x70-\x7f\x60-\x67\x69-\x6d]{1,14}\x33/R"; reference:md5,c150f9738142278e2d39417a7ef53cae; classtype:command-and-control; sid:2019203; rev:2; metadata:created_at 2014_09_22, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)