alert ssh $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE [NCSC] Pygmy Goat SSH ed25519 Key"; flow:established,to_client; content:"|29 cc f0 cc 16 c5 46 6e 52 19 82 8e 86 65 42 8c 1f 1a d4 c3 a5 b1 cb fc c0 26 6c 31 3c 5c 90 3a 24 7d e4 d3 57 6d da 8e cb f4 66 d1 cb 81 4f 63 fd 4a fa 06 e4 7e 4c a0 95 91 bd cb 97 a4 b3 0f|"; fast_pattern; offset:120; depth:64; reference:url,www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf; classtype:trojan-activity; sid:2057247; rev:1; metadata:affected_product Sophos_XG, attack_target Networking_Equipment, tls_state plaintext, created_at 2024_11_05, deployment Perimeter, deployment Internal, malware_family Pygmy_Goat, performance_impact Low, confidence Low, signature_severity Major, updated_at 2024_11_05; target:src_ip;)