alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible IRCBot.DDOS Common Commands"; flow:established,to_client; content:"PRIVMSG "; depth:8; pcre:"/^[^\r\n]*?\x3a[^\r\n]*?(?:port(?:scan)?|udp[1-3]|tcp|http|download)[^\r\n]+?(?:\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}|https?\x3A\x2F\x2F)/Ri"; reference:md5,ef54080af1782dd29356032b7ff20849; classtype:trojan-activity; sid:2019471; rev:3; metadata:created_at 2014_10_20, confidence Medium, signature_severity Major, updated_at 2019_07_26;)