alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE [PTsecurity] Dridex/Feodo-D SSL connection #1"; flow:established, to_server; content:"|1703|"; depth:2; byte_test:2, >=,2512, 1, relative; byte_test:2, <=,7900, 1, relative; stream_size:server, <,1905; stream_size:client, <,9911; stream_size:client, >,0; stream_size:server, >,0; flowbits:noalert; flowbits:isset, FB313831_0; flowbits:unset, FB313831_0; flowbits:set, FB313831_1; classtype:trojan-activity; metadata:created_at 2017_8_1; reference:url, github.com/ptresearch/AttackDetection; sid:10001685; rev:1;)