alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE [PTsecurity] Backdoor.Java.Adwind.cu"; flow:established, to_client; content:"|1703|"; depth:2; content:"|0050|"; distance:1; within:2; fast_pattern; stream_size:server, >,1843; stream_size:server, <,3036; stream_size:client, >,1476; stream_size:client, <,8834; flowbits:isset, FB332502_3; flowbits:unset, FB332502_3; threshold:type limit, track by_src, count 1, seconds 30; metadata:former_category TROJAN; reference:md5,56e42156a1676b34f5350c01e34875d1; classtype:trojan-activity; reference:url, github.com/ptresearch/AttackDetection; sid:11124756; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_09_21, malware_family Adwind, performance_impact Moderate, updated_at 2018_02_14;)