alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)"; flow:established,from_server; content:"|03 02 01 02 02 09 00|"; fast_pattern; content:"|30 09 06 03 55 04 06 13 02|"; distance:0; pcre:"/^[A-Z]{2}/R"; content:!"|55 04 08|"; distance:0; content:"|55 04 07|"; distance:0; pcre:"/^.{2}[A-Z][a-z]+(?:\x27[a-z]+|(?:\x20[A-Z][a-z]+){1,2})?[01]/Rs"; content:"|55 04 0a|"; distance:0; pcre:"/^.{2}[A-Z][a-z]{3,}\s(?:[A-Z][a-z]{3,}\s)?(?:[A-Z](?:[A-Za-z]{0,4}?[A-Z]|(?:\.[A-Za-z]){1,3})|[A-Z]?[a-z]+)\.?[01]/Rs"; content:"|55 04 03|"; distance:0; byte_test:1,>,7,1,relative; pcre:"/^.{2}(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?:(?:\d[A-Z]?|[A-Z]\d?)[a-z]{6,20}|[A-Z]?[a-z]{3,7}\d[a-z]{3,7})\.(?!(?:com|net|org)[01])[a-z]{2,}[01]/Rs"; content:!"|2a 86 48 86 f7 0d 01 09 01|"; reference:url,sslbl.abuse.ch; classtype:domain-c2; sid:2022627; rev:12; metadata:attack_target Client_and_Server, created_at 2016_03_17, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag SSL_Malicious_Cert, updated_at 2019_07_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1071, mitre_technique_name Application_Layer_Protocol;)