alert tls $EXTERNAL_NET [443,4443] -> $HOME_NET any (msg:"ET MALWARE Possible Dyre SSL Cert Sept 2 2015"; flow:established,to_client; tls.cert_serial; content:"00:"; startswith; bsize:26; tls.cert_subject; pcre:"/C=[A-Z]{2}\,/"; content:"ST="; distance:0; content:"L="; distance:0; content:"O="; distance:0; pcre:"/CN=[A-Z]/"; content:"OU="; distance:0; tls.certs; content:"|2a 86 48 86 f7 0d 01 09 01|"; fast_pattern; distance:0; pcre:"/^.{2}[a-z]+@[a-z]+\.com[01]/R"; content:"|55 04 0a|"; pcre:"/^.(?P<orgname>.[^01]+).*?\x55\x04\x0b.(?P=orgname)/Rsi"; content:!"Beam Propulsion"; reference:md5,52faadf69c492e5bea1b3ad77fd7e8b1; reference:url,us-cert.gov/ncas/alerts/TA14-300A; classtype:trojan-activity; sid:2021743; rev:7; metadata:attack_target Client_Endpoint, created_at 2015_09_03, deployment Perimeter, deprecation_reason Relevance, performance_impact Moderate, confidence Medium, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2022_03_27;)