alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Group 21 Payload CnC Checkin"; flow:established,to_server; dsize:<400; content:"|3a 3a|MAC|3a 3a|"; startswith; content:"|3a 3a|HOSTNAME/USERNAME|3a 3a|"; within:100; fast_pattern; content:"|3a 3a|U-FILE|3a 3a|"; within:100; reference:md5,6a271282fe97322d49e9692891332ad7; classtype:trojan-activity; sid:2035061; rev:3; metadata:created_at 2020_01_16, confidence High, signature_severity Major, updated_at 2020_08_19;)