alert tcp $HOME_NET ![80,8080] -> $EXTERNAL_NET any (msg:"ET HUNTING PNG image exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,160; dsize:>11; content:"|89|PNG|0d 0a 1a 0a 00 00 00 0d|IHDR|00 00|"; startswith; flowbits:set,ET.tcpraw.png; reference:md5,a271e5179f0a98a295736bd7a41a39fc; classtype:misc-activity; sid:2035476; rev:3; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_05_23, reviewed_at 2025_04_17;)