alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Mystic Stealer C2 Session Key Response Packet"; flow:established,to_client; dsize:256; stream_size:client,=,5; stream_size:server,=,257; flowbits:isset, mystic_stealer_conn_init; reference:md5,df80b1e50cfebb0c4dbf5ac51c5d7254; reference:url,inquest.net/blog/2023/06/15/mystic-stealer-new-kid-block; reference:url,www.zscaler.com/blogs/security-research/mystic-stealer; classtype:trojan-activity; sid:2046295; rev:2; metadata:attack_target Client_Endpoint, created_at 2023_06_16, deployment Perimeter, malware_family Mystic, performance_impact Significant, confidence Medium, signature_severity Major, tag Stealer, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_06_28;)