alert tcp $HOME_NET any -> $EXTERNAL_NET ![25,465,587] (msg:"ET MALWARE HOMEUNIX/9002 CnC Beacon"; flow:established,to_server; dsize:48; content:!"|00 00 00|"; offset:1; depth:3; byte_extract:3,1,xor_key; byte_test:3,=,xor_key,9; byte_test:3,=,xor_key,13; byte_extract:1,1,same_test; byte_test:1,!=,same_test,8; byte_test:1,!=,same_test,33; pcre:!"/^[\x20-\x7e\r\n]+$/"; reference:md5,256438747bae78c9101c9a0d4efe5572; classtype:command-and-control; sid:2020714; rev:8; metadata:attack_target Client_Endpoint, created_at 2015_03_19, deployment Perimeter, signature_severity Major, tag c2, updated_at 2019_07_26, mitre_tactic_id TA0010, mitre_tactic_name Exfiltration, mitre_technique_id T1041, mitre_technique_name Exfiltration_Over_C2_Channel;)