alert tcp any any -> $EXTERNAL_NET any (msg:"REMOTE [PTsecurity] VxRAT"; flow:established, to_server, only_stream; stream_size:client, >, 100; stream_size:client, <, 400; stream_size:server, <, 5; byte_test:1, >, 0x63, 0; byte_test:1, <, 0xc8, 0; content:"|00 00 00 00 00 00 00 00 00 00 00 54|"; offset:1; depth:12; content:"|40 00|"; distance:6; within:32; content:"|00 0a 00|"; distance:6; within:80; content:"|00 0a 00|"; distance:6; within:80; content:"|00 0a 00|"; distance:6; within:80; content:"|00|D|00|I|00|S|00|P|00|L|00|A|00|Y|00|"; distance:0; fast_pattern; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10010999; rev:1;)