alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE DirectsX Checkin Response"; flow:established,from_server; stream_size:server,<,30; dsize:25; content:"|19 00 00 00|"; offset:17; depth:4; content:!"|00 00|"; within:2; content:!"|ff ff|"; within:2; content:!"_loc"; reference:url,public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf; classtype:command-and-control; sid:2019633; rev:3; metadata:created_at 2014_11_04, signature_severity Major, updated_at 2022_05_11;)