alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Win32.Kovter Client CnC Traffic"; flow:established,to_server; dsize:4<>256; content:!"HTTP"; content:"|00 00 00|"; offset:1; depth:3; pcre:"/^[\x11\x21-\x26\x41\x45\x70-\x79]/R"; content:!"|00 00|"; distance:0; byte_jump:1,0,from_beginning,post_offset 3; isdataat:!2,relative; pcre:!"/\x00$/"; reference:url,symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update; classtype:command-and-control; sid:2022861; rev:3; metadata:created_at 2016_06_06, signature_severity Unknown, updated_at 2022_08_30;)