alert tcp any any -> any any (msg:"TOOLS [PTsecurity] xfreerdp/vinagre/remmina RDP client"; flow:established, to_server, no_stream; content:"|03 00|"; depth:2; content:"Duca"; distance:0; content:"|01 C0|"; distance:2; within:2; byte_jump:2, 0, relative, little, post_offset -4; content:"|04 C0|"; within:2; byte_jump:2, 0, relative, little, post_offset -4; content:"|02 C0|"; within:2; byte_extract:2, 0, CLIENTNETWORKDATALEN, relative, little; isdataat:!CLIENTNETWORKDATALEN, relative; reference:url, rules.ptsecurity.com; classtype:policy-violation; sid:10005928; rev:3;)