alert tls $EXTERNAL_NET ![443,587] -> $HOME_NET any (msg:"ET MALWARE Observed Qbot Style SSL Certificate"; flow:established,from_server; tls.cert_issuer; content:"C="; depth:2; content:",|20|ST="; distance:2; within:5; content:",|20|L="; distance:2; within:4; content:",|20|O="; within:20; content:",|20|CN="; within:50; pcre:"/^C=(?:M[ACDEGHKLMNOPQRSTUVWXYZ]|G[ABDEFGHILMNPQRSTUWY]|B[ABDEFGHIJMNORSTVWZ]|A[DEFGILMNOQRSTUWXZ]|S[ABCEGHIJKLMNRTUVZ]|C[ACFHIKLMNORSVXYZ]|T[CDFGHJKMNOPRTVWZ]|P[AEFGHKLMNRSTWY]|N[ACEFGILOPRTUZ]|K[EGHIMNRWYZ]|L[ACIKSTUVY]|I[DELMNOST]|E[CEGHRST]|F[IJKMORX]|U[AGKMSYZ]|V[ACEGINU]|D[EJKMOZ]|H[KMNRTU]|R[EOSUW]|J[EMOP]|W[FS]|Y[ET]|Z[AM]|OM|QA),\sST=(?!(?:M[ADEINOST]|N[CDEHJMVY]|A[KLRZ]|I[ADLN]|W[AIVY]|C[AOT]|O[HKR]|[GLP]A|K[SY]|S[CD]|T[NX]|V[AT]|[HR]I|DE|FL|UT))[A-Z]{2},\sL=[A-Z][a-z]{2,15}(?:\s[A-Z][a-z]{2,10})?,\sO=[A-Z][a-z]{2,25}\s[A-Z][a-z]{2,25}(?:\s[A-Z][a-z]{2,25})?(?:\s[A-Z][a-z]{2,25})?(?:\s(?:Inc|LLC)\.)?,\sCN=[a-z]{4,11}\.[a-z]{2,4}$/"; classtype:trojan-activity; sid:2035530; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2019_02_15, deployment Perimeter, malware_family Qbot, performance_impact Significant, confidence High, signature_severity Major, updated_at 2021_04_20;)