alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE NginxSpy Magic Bytes M1 (Outbound)"; flow:established,to_client; flowbits:isset,ET.nginxspy; content:"|e5 cf ff 02 b1 69 20 69 75 15 99 45 20 2e 0a 10 e3 10 b3 70 8d 6d ab 54 52 79 f0 1b 78 5e d1 46|"; fast_pattern; reference:url,jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_4_peter-jr-wei_en.pdf; classtype:trojan-activity; sid:2044124; rev:1; metadata:attack_target Web_Server, created_at 2023_02_06, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_02_06; target:src_ip;)