alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET HUNTING ZIP file exfiltration over raw TCP"; flow:established,to_server; stream_size:server,<,5; dsize:>11; content:"PK|03 04|"; fast_pattern; startswith; byte_test:1,<=,20,0,relative; content:"|00 00 00|"; distance:1; within:3; reference:url,users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html; classtype:misc-activity; sid:2035478; rev:2; metadata:attack_target Client_Endpoint, created_at 2022_03_16, deployment Perimeter, performance_impact Moderate, confidence Medium, signature_severity Informational, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_03_16;)