alert tcp any any -> $HOME_NET any (msg:"ET HUNTING Known Vulnerable Windows Driver (pstrip64.sys) File Inbound"; flow:established,to_client; file.data; content:"|00460069006c006500560065007200730069006f006e|"; content:"|0031002e003000|"; within:22; content:"|0049006e007400650072006e0061006c004e0061006d0065|"; content:"|00700073007400720069007000360034002e00730079007300|"; within:58; content:"|00460069006c0065004400650073006300720069007000740069006f006e|"; content:"|0045006e005400650063006800200078003600340020006b00650072006e0065006c002d006d006f00640065002000640072006900760065007200|"; within:126; fast_pattern; reference:url,www.virustotal.com/gui/file/ab01485bb7c8bc1a9c86096eeea6d31d8fad557bf4d44072b46373d2203faa6e; classtype:bad-unknown; sid:2068794; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_04_15, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2026_04_15; target:dest_ip;)