alert tcp $HOME_NET any -> $EXTERNAL_NET [!5800,!445] (msg:"ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 5"; flow:to_server,established; content:"|15 15|"; offset:2; depth:2; content:!"|15 15|"; within:2; content:"|15 15|"; distance:2; within:2; content:!"|15 15|"; within:2; content:"|15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15 15|"; fast_pattern; pcre:"/[^\x15][^\x49\x3f\x3e\x28\x69\x2f\x2e\x37\x2a\x29\x2b\x39\x36][\x20-\x27\x2c\x2d\x30\x31\x33-\x36\x38\x3b-\x3d\x40-\x47\x4a-\x4d\x4f\x50-\x5f\x60\x68\x6b-\x6f\x70-\x74\x76-\x7f]{1,14}\x15/R"; reference:md5,05054afcfc6a651a057e47cd0f013c7b; classtype:command-and-control; sid:2020215; rev:6; metadata:created_at 2015_01_20, confidence High, signature_severity Major, updated_at 2022_03_28;)