alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [ANY.RUN] MetaStealer v.5 CnC Activity (MC-NMF TLS SNI)"; flow:established,to_server, only_stream; content:"|00 01 00 01 02 02 1F|net.tcp://"; startswith; content:"|03 08 09 13|application/ssl-tls"; distance:0; content:"|00 07 00 00 04 3f|124|00 0a|"; distance:0; within:200; fast_pattern; reference:url,community.emergingthreats.net/t/metastealer-v-5-tls/1800; classtype:trojan-activity; sid:2054404; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, tls_state plaintext, created_at 2024_07_08, deployment Perimeter, malware_family MetaStealer, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_07_09, reviewed_at 2025_04_21;)