alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ATTACK [PTsecurity] RCE attempt via malformed ASPack"; content:"M"; offset:0; depth:2; content:"Z"; distance:-2; within:3; content:"PE"; offset:64; depth:2; byte_test:4, >, 0, 70, little; byte_extract:4, 144, cve20162208, little; byte_test:4, >, cve20162208, 328, little; reference:cve, 2016-2208; reference:url, bugs.chromium.org/p/project-zero/issues/detail?id=820; classtype:attempted-dos; reference:url, github.com/ptresearch/AttackDetection; sid:10000057; rev:1;)