alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/FlawedAmmyy RAT CnC Checkin"; flow:established,to_server; content:"|00 00 00 69 64 3d|"; depth:10; content:"|26 6f 73 3d|"; within:30; content:"|26 70 72 69 76 3d|"; within:20; content:"|26 63 72 65 64 3d|"; within:20; content:"|26 70 63 6e 61 6d 65 3d|"; distance:0; content:"|26 61 76 6e 61 6d 65 3d|"; distance:0; content:"|26 62 75 69 6c 64 5f 74 69 6d 65 3d|"; distance:0; fast_pattern; content:"|26 63 61 72 64 3d|"; distance:0; reference:md5,32485b8cedc5b79aa1bf2d7ceae0ef31; classtype:command-and-control; sid:2025408; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_03_01, deployment Perimeter, malware_family FlawedAmmyy, performance_impact Moderate, confidence High, signature_severity Major, updated_at 2020_08_19;)