alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET MALWARE MAGICHOUND.MPK Activity via IRC"; flow:established,to_server; content:"PRIVMSG mpk|20 3a|"; content:"!MpkPing|20|<<mpk>>"; fast_pattern; distance:0; pcre:"/^\d{5}/R"; content:"<<mpk>>|20|<<mpk>>"; distance:0; pcre:"/^\d/R"; content:"<<mpk>>"; distance:0; reference:md5,ece5b62a4ed4e88dab4f1b5451f54794; reference:url,researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/; classtype:trojan-activity; sid:2023940; rev:2; metadata:created_at 2015_10_14, signature_severity Major, updated_at 2023_03_24;)