alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR [PTsecurity] Possible SSVagent.APT31"; flow:established, to_server; content:"|00 00 00|"; offset:1; depth:3; http_client_body; pcre:"/^.{12}[A-F-0-9]{32}/P"; content:"|0d0a 0d0a|"; depth:300; byte_jump:1, 0, relative; isdataat:!5, relative; classtype:trojan-activity; sid:10006531; rev:2;)