alert smb $HOME_NET any -> any any (msg:"ATTACK [PTsecurity] NT Trans Response"; flow:established, from_server; content:"|FF|SMB|A0|"; offset:4; depth:5; flowbits:isset, EternalRomance.RaceCondition.Possible; flowbits:unset, EternalRomance.RaceCondition.Possible; flowbits:noalert; reference:cve, 2017-0146; reference:url, github.com/rapid7/metasploit-framework/commit/c9473f8cbc147fe6ff7fe27862fd3d1e9f27c4f5; reference:url, blogs.technet.microsoft.com/srd/2017/06/29/eternal-champion-exploit-analysis; classtype:attempted-admin; reference:url, github.com/ptresearch/AttackDetection; sid:10001718; rev:1;)