alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE [PTsecurity] Ursnif Malicious SSL detect pkt checker #0"; flow:established,from_server; content:"|09 00 C1 0E 3F 17 BC 2F BE 83|"; depth:300; content:"|55 04 08|"; distance:0; content:"|0A|Some-State"; distance:1; within:11; content:"|55 04 0A|"; distance:0; content:"|18|Internet Widgits Pty Ltd"; distance:1; within:25; fast_pattern; flowbits:set, FB449906_; flowbits:noalert; reference:md5,65dae76418fa23277068a00e6a0199d; classtype:trojan-activity; reference:url, github.com/ptresearch/AttackDetection; sid:11002454; rev:1; metadata:attack_target Client_Endpoint, deployment Perimeter, tag SSL_Malicious_Cert, signature_severity Major, created_at 2018_01_18;)