alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE HTran/SensLiceld.A response to infected host - Outbound Connection Attempt"; flow:established,to_client; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; startswith; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2060253; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Linux, affected_product Windows_11, attack_target Client_and_Server, tls_state TLSDecrypt, created_at 2025_02_21, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag HTRAN, updated_at 2025_02_21, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1090, mitre_technique_name Proxy; target:dest_ip;)