alert tcp any any -> any any (msg:"TOOLS [PTsecurity] gsocket client activity"; flow:to_server, established, no_stream; dsize:128; stream_size:client, <, 500; stream_size:server, <, 100; content:"|02|"; depth:1; offset:0; content:!"|00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:3; within:28; content:!"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:16; content:"|00 00 00 00|"; distance:16; within:4; content:"|00 00 00 00|"; isdataat:!1, relative; reference:url, gsocket.io; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10009304; rev:4;)