alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Likely Malicious Redirect SSL Cert"; flow:established,from_server; content:"|55 04 03|"; content:"|14|formationtraffic.com"; distance:1; within:21; classtype:trojan-activity; sid:2021146; rev:4; metadata:attack_target Client_Endpoint, created_at 2015_05_26, deployment Perimeter, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_09_10;)