alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ATTACK [PTsecurity] Apple macOS 10.12.1/iOS 10 OCSP DDoS Attempt (CVE-2016-7636)"; flow:established, from_server, only_stream; content:"|16 03|"; depth:2; content:"|16 03|"; content:"|0B|"; distance:3; within:1; content:"|30 83|"; content:"|30|"; distance:3; within:1; content:"|06 08 2B 06 01 05 05 07 30 02 86|"; distance:1; within:11; byte_jump:1, 0, relative; content:"|30|"; content:"|06 08 2B 06 01 05 05 07 30 02 86|"; distance:1; within:11; byte_jump:1, 0, relative; content:"|30|"; pcre:"/(?:[^\x06]+\x06\x08\x2B\x06\x01\x05\x05\x07\x30\x02\x86){10,}/"; reference:cve, 2016-7636; reference:url, cxsecurity.com/issue/WLB-2016100213; classtype:attempted-dos; reference:url, github.com/ptresearch/AttackDetection; sid:10000495; rev:1;)