alert tcp $HOME_NET any -> $EXTERNAL_NET [8000:8001] (msg:"ET MALWARE Backdoor/Win.Gh0stRAT CnC Exfil"; flow:established,to_server; dsize:571; content:"|b9 b6 b5 c8 f1 ef ef d3 f1 ef ef ee ef ef ef 2c|"; startswith; fast_pattern; content:"|99 91 31 a9 39 97 27 81 f1|"; endswith; threshold:type limit, track by_src, count 5, seconds 600; reference:md5,782cbc8660ff9e94e584adfcbc4cb961; reference:url,asec.ahnlab.com/en/32572; classtype:trojan-activity; sid:2035536; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2022_03_18, deployment Perimeter, malware_family Gh0stCringe, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_14;)