alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR [PTsecurity] Possible SSVagent (APT31)"; flow:established, to_server; content:"|00 00 00|"; offset:1; depth:3; http_client_body; pcre:"/^.{12}[A-F-0-9]{32}/P"; content:"|0d0a 0d0a|"; http_client_body; depth:300; byte_jump:1, 0, relative; isdataat:!5, relative; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10006531; rev:4;)