alert tcp any any -> any !$HTTP_PORTS (msg:"REMOTE [PTsecurity] Remcos"; flow:established, to_server; dsize:300<>450; stream_size:client, <, 451; content:"|01 80 b0 a6 75 bd 32 15 1c 8e|"; depth:10; threshold:type threshold, seconds 30, count 2, track by_dst; reference:url, https://www.virustotal.com/gui/file/7efd9de26a438503b6d0bc112ed76e29db45c3341b4b82ad81556c6218ca37cd/detection; reference:url, rules.ptsecurity.com; classtype:trojan-activity; sid:10011276; rev:1;)