alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"🐾 - 🚨 RDP established connection to Internet"; flow:to_client, stateless; flowbits:isset,pptrls.rdpexter; content:"|16 03 03|"; content:"|00 00 00|"; target:dest_ip; metadata:attack_target Client_and_Server, signature_severity Major, created_at 2024_11_05, updated_at 2024_11_05; sid:3321400; rev:2; classtype:policy-violation;)