alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 4"; flow:to_server,established; content:"|28 28|"; offset:2; depth:2; content:!"|28 28|"; within:2; content:"|28 28|"; distance:2; within:2; content:!"|28 28|"; within:2; content:"|28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28 28|"; pcre:"/[^\x28][^\x76\x74\x02\x03\x15\x54\x12\x13\x0a\x17\x14\x16\x04\x0b\x22][\x05\x09\x0b\x0e\x08\x06\x1a-\x1f\x10\x11\x18\x19\x40-\x47\x48-\x4f\x50-\x53\x55\x56\x58-\x5e\x60-\x68\x6a-\x6f\x70\x72\x76-\x7e]{1,14}\x28/R"; reference:md5,0c2cb38062e0fb6b040518a384418b7b; classtype:command-and-control; sid:2019601; rev:6; metadata:created_at 2014_10_30, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)