alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor family PCRat/Gh0st CnC traffic (OUTBOUND) 109"; flow:established,to_server; app-layer-protocol:!tls; stream_size:server,<,5; dsize:<250; content:"|00 00 01 78 9c|"; offset:10; depth:5; fast_pattern; byte_jump:2,0,little,from_beginning, post_offset 3; isdataat:!2,relative; pcre:"/^(?<len>.{2})\xc0\xff(?P=len)\x00\x00.{2}\x00\x00\x01\x78\x9c/s"; reference:md5,edacdc76bb11e8db5c1a1b8917b5deb0; classtype:command-and-control; sid:2034977; rev:2; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2022_01_26, deployment Perimeter, malware_family Gh0st, performance_impact Moderate, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_03;)