alert tcp any any -> any any (msg:"TOOLS [PTsecurity] gsocket server activity"; flow:to_server, established, no_stream; dsize:128; stream_size:client, <, 500; stream_size:server, <, 100; content:"|01|"; depth:1; offset:0; content:!"|00|"; within:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern; distance:3; within:12; content:!"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:16; content:!"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:16; within:16; content:"|00 00 00 00|"; distance:32; within:4; content:"|00 00 00 00|"; isdataat:!1, relative; reference:url, gsocket.io; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10009305; rev:5;)