alert tcp any any -> any 445 (msg:"ATTACK [PTsecurity] LSASS Remote Memory Corruption Attempt (MS16-137)"; flow:established, no_stream; content:"|FF|SMB|73 00 00 00 00|"; offset:4; depth:9; content:"|FF 00|"; offset:37; depth:2; content:"|01 00 00 00 00 00|"; offset:45; depth:6; content:"|00 00 00 00 D4 00 00 A0|"; distance:2; within:8; content:"|A1 84|"; distance:2; within:2; byte_test:1,!=,0xD1,0,relative; flowbits:set, CVE.2016-7237.Attempt; xbits:set,CVE.2016-7237.Attempt,track ip_dst,expire 15; reference:cve, 2016-7237; reference:url, g-laurent.blogspot.ru/2016/11/ms16-137-lsass-remote-memory-corruption.html; reference:url, rules.ptsecurity.com; classtype:attempted-dos; sid:10000532; rev:2;)