alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EP (ExE Pack) V10 - Elite Coding Group]"; flow: established,to_client; content: "|6068|"; content: "|B8|"; distance: 4; within: 5; content: "|FF10|"; distance: 4; within: 6; sid: 2009000000; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EPack 14 lite (final) - by 6aHguT]"; flow: established,to_client; content: "|33C08BC068|"; content: "|68|"; distance: 4; within: 5; content: "|E8|"; distance: 4; within: 5; sid: 2009000001; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[$PIRIT v15]"; flow: established,to_client; content: "|B44DCD21E8|"; content: "|FDE8|"; distance: 2; within: 4; content: "|B451CD21|"; distance: 2; within: 6; sid: 2009000002; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F190909090|"; distance: 4; within: 21; sid: 2009000003; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [32Lite 003] -- Anorganix]"; flow: established,to_client; content: "|6006FC1E07BE909090906A04689010909068|"; content: "|E9|"; distance: 4; within: 5; sid: 2009000004; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [ACProtect 109] -- Anorganix]"; flow: established,to_client; content: "|6090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090EB02000090909004909090909090909090909090909090909090909090|"; sid: 2009000005; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Armadillo 300] -- Anorganix]"; flow: established,to_client; content: "|60E82A0000005D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959585051EB85E9|"; sid: 2009000006; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [ASPack 2xx Heuristic] -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F190909090A8030000617508B801000000C20C006800000000C38B85260400008D8D3B0400005150FF95|"; distance: 4; within: 58; sid: 2009000007; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [ASProtect] -- Anorganix]"; flow: established,to_client; content: "|609090909090905D909090909090909090909003DDE9|"; sid: 2009000008; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Borland Delphi 30] -- Anorganix]"; flow: established,to_client; content: "|558BEC83C49090909068|"; content: "|9090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090|"; distance: 4; within: 75; sid: 2009000009; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Borland Delphi 50 KOLMCK] -- Anorganix]"; flow: established,to_client; content: "|558BEC9090909068|"; content: "|9090909090909090909090909090909090909090909090909090909000FF90909090909090900001909090909090909090EB0400000001909090909090900001909090909090909090|"; distance: 4; within: 77; sid: 2009000010; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Borland Delphi 60 - 70] -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F190909090538BD833C0A3090909006A00E8090900FFA309090900A109090900A30909090033C0A30909090033C0A309090900E8|"; distance: 4; within: 68; sid: 2009000011; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [CD-Cops II] -- Anorganix]"; flow: established,to_client; content: "|5360BD909090908D45908D5D90E8000000008D01E9|"; sid: 2009000012; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Code-Lock] -- Anorganix]"; flow: established,to_client; content: "|434F44452D4C4F434B2E4F435800012801504B47054C3FB4044D4C474BE9|"; sid: 2009000013; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [CodeSafe 20] -- Anorganix]"; flow: established,to_client; content: "|90909090909090909090909090909090909090909090EB0B83EC10535657E8C4010085E9|"; sid: 2009000014; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [CrunchPE Heuristic] -- Anorganix]"; flow: established,to_client; content: "|55E80E0000005D83ED068BC5556089AD|"; content: "|2B8500000000E9|"; distance: 4; within: 11; sid: 2009000015; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [DEF 10] -- Anorganix]"; flow: established,to_client; content: "|BE000140006A0559807E070074118B46909090909090909090909090909090909083C101E9|"; sid: 2009000016; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [DxPack 10] -- Anorganix]"; flow: established,to_client; content: "|60E8000000005D8BFD81ED909090902BB90000000081EF9090909083BD90909090900F8400000000E9|"; sid: 2009000017; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [ExeSmasher] -- Anorganix]"; flow: established,to_client; content: "|9CFE039060BE909041908DBE9010FFFF5783CDFFEB1090909090909090909090909090909090FE0BE9|"; sid: 2009000018; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [FSG 10] -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F190909090BBD0014000BF00104000BE9090909053E80A00000002D275058A164612D2C3FCB280A46A025BE9|"; distance: 4; within: 60; sid: 2009000019; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [FSG 131] -- Anorganix]"; flow: established,to_client; content: "|BE90909000BF90909000BB9090900053BB90909000B280E9|"; sid: 2009000020; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Gleam 100] -- Anorganix]"; flow: established,to_client; content: "|90909090909090909090909090909090909090909090EB0B83EC0C535657E8240200FFE9|"; sid: 2009000021; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [JDPack 1x JDProtect 09] -- Anorganix]"; flow: established,to_client; content: "|60E8220000005D8BD581ED909090902B959090909081EA0690909089959090909083BD4500010001E9|"; sid: 2009000022; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [LCC Win32 1x] -- Anorganix]"; flow: established,to_client; content: "|64A1010000005589E56AFF68|"; content: "|689A10409050E9|"; distance: 4; within: 11; sid: 2009000023; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [LCC Win32 DLL] -- Anorganix]"; flow: established,to_client; content: "|5589E5535657837D0C017505E817909090FF7510FF750CFF7508A1|"; content: "|E9|"; distance: 4; within: 5; sid: 2009000024; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Lockless Intro Pack] -- Anorganix]"; flow: established,to_client; content: "|2CE8EB1A90905D8BC581EDF67390902B859090909083E8068985FF01ECADE9|"; sid: 2009000025; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [LTC 13] -- Anorganix]"; flow: established,to_client; content: "|54E8000000005D8BC581EDF67340002B858775400083E806E9|"; sid: 2009000026; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Macromedia Flash Projector 60] -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F19090909083EC4456FF15248149008BF08A063C22751C8A4601463C22740C84C074088A4601463C2275F4803E22750F46EB0CE9|"; distance: 4; within: 68; sid: 2009000027; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [MEW 11 SE 10] -- Anorganix]"; flow: established,to_client; content: "|E909000000000000020000000C90E9|"; sid: 2009000028; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Microsoft Visual Basic 50 - 60] -- Anorganix]"; flow: established,to_client; content: "|68|"; content: "|E80A00000000000000000030000000E9|"; distance: 4; within: 20; sid: 2009000029; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Microsoft Visual Basic 60 DLL] -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F1909090905A6890909090689090909052E99090FF|"; distance: 4; within: 37; sid: 2009000030; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Microsoft Visual C 50 (MFC)] -- Anorganix]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64A10000000050E9|"; distance: 4; within: 12; sid: 2009000031; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Microsoft Visual C 60 (Debug Version)] -- Anorganix]"; flow: established,to_client; content: "|558BEC5190909001019090909068|"; content: "|90909090909090909090909000019090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909000019090909090|"; distance: 4; within: 71; sid: 2009000032; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Microsoft Visual C 620] -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F190909090558BEC83EC50535657BE909090908D7DF4A5A566A58B|"; distance: 4; within: 43; sid: 2009000033; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Microsoft Visual C 70 DLL] -- Anorganix]"; flow: established,to_client; content: "|558D6C010081EC000000008B459083F801560F840000000085C00F84|"; content: "|E9|"; distance: 4; within: 5; sid: 2009000034; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [MinGW GCC 2x] -- Anorganix]"; flow: established,to_client; content: "|5589E5E802000000C9C39090455845E9|"; sid: 2009000035; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Morphine 12] -- Anorganix]"; flow: established,to_client; content: "|90909090909090909090909090909090EB06009090909090909090EB08E890000000669090909090909090909090909090909090909090909090909090909090516690909059909090909090909090909090909090|"; sid: 2009000036; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Neolite 20] -- Anorganix]"; flow: established,to_client; content: "|E9A60000009090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090|"; sid: 2009000037; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [NorthStar PE Shrinker 13] -- Anorganix]"; flow: established,to_client; content: "|9C60E8000000005DB8B38540002DAC8540002BE88DB500000000E9|"; sid: 2009000038; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Pack Master 10 (PEX Clone)] -- Anorganix]"; flow: established,to_client; content: "|60E801010000E883C404E801909090E95D81EDD3224090E804029090E8EB08EB02CD20FF24249A66BE4746909090909090909090909090909090909090909090909090909090909090909090909090909090909090|"; sid: 2009000039; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [PE Intro 10] -- Anorganix]"; flow: established,to_client; content: "|8B04249C60E8140000005D81ED0A45409080BD67444090900F8548FFED0AE9|"; sid: 2009000040; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [PE Pack 099] -- Anorganix]"; flow: established,to_client; content: "|60E8110000005D83ED0680BDE0049090010F84F2FFCC0AE9|"; sid: 2009000041; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [PE Protect 09] -- Anorganix]"; flow: established,to_client; content: "|525155576467A1300085C0780DE8070000005883C007C690C3E9|"; sid: 2009000042; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [PECompact 14] -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F190909090EB066890909090C39C60E80290909033C08BC483C004938BE38B5BFC81|"; distance: 4; within: 50; sid: 2009000043; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [PENightMare 2 Beta] -- Anorganix]"; flow: established,to_client; content: "|60E910000000EF4003A7078F071C375D43A704B92C3AE9|"; sid: 2009000044; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [PENinja 131] -- Anorganix]"; flow: established,to_client; content: "|909090909090909090909090909090909090909090909090909090909090909090909090E9|"; sid: 2009000045; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [PESHiELD 025] -- Anorganix]"; flow: established,to_client; content: "|60E82B0000009090909090909090909090909090909090909090909090909090909090909090909090909090909090CCCCE9|"; sid: 2009000046; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [PEtite 2x (level 0)] -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F190909090B8009090006A00689090900064FF350000000064892500000000669C60508BD8030068|"; distance: 4; within: 56; sid: 2009000047; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [PEX 099] -- Anorganix]"; flow: established,to_client; content: "|60E8010000005583C404E801000000905D81FFFFFF0001E9|"; sid: 2009000048; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [REALBasic] -- Anorganix]"; flow: established,to_client; content: "|5589E5909090909090909090905090909090900001E9|"; sid: 2009000049; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Stelth PE 101] -- Anorganix]"; flow: established,to_client; content: "|0BC00BC00BC00BC00BC00BC00BC00BC0BA|"; content: "|FFE2BAE0104000B868241A40890283C203B84000E8EE890283C2FDFFE22D3D5B20486964655045205D3D2D90000000|"; distance: 4; within: 51; sid: 2009000050; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [UPX 06] -- Anorganix]"; flow: established,to_client; content: "|60E8000000005883E83D508DB8000000FF578DB0E8000000E9|"; sid: 2009000051; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [VBOX 43 MTE] -- Anorganix]"; flow: established,to_client; content: "|0BC00BC00BC00BC00BC00BC00BC00BC0E9|"; sid: 2009000052; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Video-Lan-Client] -- Anorganix]"; flow: established,to_client; content: "|5589E583EC08909090909090909090909090909001FFFF0101010001909090909090909090909090909000010001000190900001E9|"; sid: 2009000053; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [VOB ProtectCD 5] -- Anorganix]"; flow: established,to_client; content: "|363E268AC060E800000000E9|"; sid: 2009000054; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [WATCOM CC EXE] -- Anorganix]"; flow: established,to_client; content: "|E900000000909090905741E9|"; sid: 2009000055; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [XCR 011] -- Anorganix]"; flow: established,to_client; content: "|608BF033DB83C30183C001E9|"; sid: 2009000056; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 01 [Yodas Protector 102] -- Anorganix]"; flow: established,to_client; content: "|E803000000EB019090E9|"; sid: 2009000057; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [BJFNT 11b] -- Anorganix]"; flow: established,to_client; content: "|EB01EA9CEB01EA53EB01EA51EB01EA52EB01EA5690|"; sid: 2009000058; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [BJFNT 12] -- Anorganix]"; flow: established,to_client; content: "|EB0269B183EC04EB03CD20EBEB01EB9CEB01EBEB00|"; sid: 2009000059; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [32Lite 003] -- Anorganix]"; flow: established,to_client; content: "|6006FC1E07BE909090906A04689010909068|"; sid: 2009000060; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Armadillo 300] -- Anorganix]"; flow: established,to_client; content: "|60E82A0000005D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959585051EB85|"; sid: 2009000061; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [ASProtect] -- Anorganix]"; flow: established,to_client; content: "|609090909090905D909090909090909090909003DD|"; sid: 2009000062; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Borland C 1999] -- Anorganix]"; flow: established,to_client; content: "|EB1066623A432B2B484F4F4B90E990909090A1|"; content: "|A3|"; distance: 4; within: 5; sid: 2009000063; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Borland C DLL (Method 2)] -- Anorganix]"; flow: established,to_client; content: "|EB1066623A432B2B484F4F4B90E990909090|"; sid: 2009000064; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Borland Delphi DLL] -- Anorganix]"; flow: established,to_client; content: "|558BEC83C4B4B890909090E800000000E8000000008D4000|"; sid: 2009000065; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Borland Delphi Setup Module] -- Anorganix]"; flow: established,to_client; content: "|558BEC83C49053565733C08945F08945D48945D0E800000000|"; sid: 2009000066; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [CD-Cops II] -- Anorganix]"; flow: established,to_client; content: "|5360BD909090908D45908D5D90E8000000008D01|"; sid: 2009000067; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Code-Lock] -- Anorganix]"; flow: established,to_client; content: "|434F44452D4C4F434B2E4F435800012801504B47054C3FB4044D4C474B|"; sid: 2009000068; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [CodeSafe 20] -- Anorganix]"; flow: established,to_client; content: "|90909090909090909090909090909090909090909090EB0B83EC10535657E8C4010085|"; sid: 2009000069; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [CrunchPE Heuristic] -- Anorganix]"; flow: established,to_client; content: "|55E80E0000005D83ED068BC5556089AD|"; content: "|2B8500000000|"; distance: 4; within: 10; sid: 2009000070; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [DEF 10] -- Anorganix]"; flow: established,to_client; content: "|BE000140006A0559807E070074118B46909090909090909090909090909090909083C101|"; sid: 2009000071; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [DxPack 10] -- Anorganix]"; flow: established,to_client; content: "|60E8000000005D8BFD81ED909090902BB90000000081EF9090909083BD90909090900F8400000000|"; sid: 2009000072; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [ExeSmasher] -- Anorganix]"; flow: established,to_client; content: "|9CFE039060BE909041908DBE9010FFFF5783CDFFEB1090909090909090909090909090909090FE0B|"; sid: 2009000073; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [FSG 10] -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F190909090BBD0014000BF00104000BE9090909053E80A00000002D275058A164612D2C3FCB280A46A025B|"; distance: 4; within: 59; sid: 2009000074; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [FSG 131] -- Anorganix]"; flow: established,to_client; content: "|BE90909000BF90909000BB9090900053BB90909000B280|"; sid: 2009000075; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Gleam 100] -- Anorganix]"; flow: established,to_client; content: "|90909090909090909090909090909090909090909090EB0B83EC0C535657E8240200FF|"; sid: 2009000076; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [JDPack 1x JDProtect 09] -- Anorganix]"; flow: established,to_client; content: "|60E8220000005D8BD581ED909090902B959090909081EA0690909089959090909083BD4500010001|"; sid: 2009000077; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [LCC Win32 1x] -- Anorganix]"; flow: established,to_client; content: "|64A1010000005589E56AFF68|"; content: "|689A10409050|"; distance: 4; within: 10; sid: 2009000078; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [LCC Win32 DLL] -- Anorganix]"; flow: established,to_client; content: "|5589E5535657837D0C017505E817909090FF7510FF750CFF7508A1|"; sid: 2009000079; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Lockless Intro Pack] -- Anorganix]"; flow: established,to_client; content: "|2CE8EB1A90905D8BC581EDF67390902B859090909083E8068985FF01ECAD|"; sid: 2009000080; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Macromedia Flash Projector 60] -- Anorganix]"; flow: established,to_client; content: "|9090909068|"; content: "|6764FF360000676489260000F19090909083EC4456FF15248149008BF08A063C22751C8A4601463C22740C84C074088A4601463C2275F4803E22750F46EB0C|"; distance: 4; within: 67; sid: 2009000081; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [MEW 11 SE 10] -- Anorganix]"; flow: established,to_client; content: "|E909000000000000020000000C90|"; sid: 2009000082; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Microsoft Visual Basic 50 - 60] -- Anorganix]"; flow: established,to_client; content: "|68|"; content: "|E80A00000000000000000030000000|"; distance: 4; within: 19; sid: 2009000083; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Microsoft Visual C 70 DLL] -- Anorganix]"; flow: established,to_client; content: "|558D6C010081EC000000008B459083F801560F840000000085C00F84|"; sid: 2009000084; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [MinGW GCC 2x] -- Anorganix]"; flow: established,to_client; content: "|5589E5E802000000C9C39090455845|"; sid: 2009000085; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [NorthStar PE Shrinker 13] -- Anorganix]"; flow: established,to_client; content: "|9C60E8000000005DB8B38540002DAC8540002BE88DB500000000|"; sid: 2009000086; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [PE Intro 10] -- Anorganix]"; flow: established,to_client; content: "|8B04249C60E8140000005D81ED0A45409080BD67444090900F8548FFED0A|"; sid: 2009000087; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [PE Pack 099] -- Anorganix]"; flow: established,to_client; content: "|60E8110000005D83ED0680BDE0049090010F84F2FFCC0A|"; sid: 2009000088; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [PE Protect 09] -- Anorganix]"; flow: established,to_client; content: "|525155576467A1300085C0780DE8070000005883C007C690C3|"; sid: 2009000089; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [PENightMare 2 Beta] -- Anorganix]"; flow: established,to_client; content: "|60E910000000EF4003A7078F071C375D43A704B92C3A|"; sid: 2009000090; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [PESHiELD 025] -- Anorganix]"; flow: established,to_client; content: "|60E82B0000009090909090909090909090909090909090909090909090909090909090909090909090909090909090CCCC|"; sid: 2009000091; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [PEX 099] -- Anorganix]"; flow: established,to_client; content: "|60E8010000005583C404E801000000905D81FFFFFF0001|"; sid: 2009000092; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [REALBasic] -- Anorganix]"; flow: established,to_client; content: "|5589E5909090909090909090905090909090900001|"; sid: 2009000093; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [UPX 06] -- Anorganix]"; flow: established,to_client; content: "|60E8000000005883E83D508DB8000000FF578DB0E8000000|"; sid: 2009000094; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [VBOX 43 MTE] -- Anorganix]"; flow: established,to_client; content: "|0BC00BC00BC00BC00BC00BC00BC00BC0|"; sid: 2009000095; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Video-Lan-Client] -- Anorganix]"; flow: established,to_client; content: "|5589E583EC08909090909090909090909090909001FFFF0101010001909090909090909090909090909000010001000190900001|"; sid: 2009000096; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [VOB ProtectCD 5] -- Anorganix]"; flow: established,to_client; content: "|363E268AC060E800000000|"; sid: 2009000097; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Watcom CC DLL] -- Anorganix]"; flow: established,to_client; content: "|535657558B7424148B7C24188B6C241C83FF030F8701000000F1|"; sid: 2009000098; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [WATCOM CC EXE] -- Anorganix]"; flow: established,to_client; content: "|E900000000909090905741|"; sid: 2009000099; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [XCR 011] -- Anorganix]"; flow: established,to_client; content: "|608BF033DB83C30183C001|"; sid: 2009000100; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [Yodas Protector 102] -- Anorganix]"; flow: established,to_client; content: "|E803000000EB019090|"; sid: 2009000101; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* PseudoSigner 02 [ZCode 101] -- Anorganix]"; flow: established,to_client; content: "|E912000000000000000000000000000000E9FBFFFFFFC3680000000064FF3500000000|"; sid: 2009000102; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[* [MSLRH] V031 - emadicius]"; flow: established,to_client; content: "|60D1CB0FCAC1CAE0D1CA0FC8EB01F1|"; sid: 2009000103; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[*** Protector v1111 (DDeM-PE Engine v09 DDeM-CI v092)]"; flow: established,to_client; content: "|535156E8000000005B81EB081000008DB334100000B9F3030000BA63172AEE311683C604|"; sid: 2009000104; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BJFnt v11b]"; flow: established,to_client; content: "|EB01EA9CEB01EA53EB01EA51EB01EA52EB01EA56|"; sid: 2009000105; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BJFnt v12 RC]"; flow: established,to_client; content: "|EB0269B183EC04EB03CD20EBEB01EB9CEB01EBEB|"; sid: 2009000106; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BJFnt v13]"; flow: established,to_client; content: "|EB|"; content: "|3A|"; distance: 1; within: 2; content: "|1EEB|"; distance: 2; within: 4; content: "|CD209CEB|"; distance: 1; within: 5; content: "|CD20EB|"; distance: 1; within: 4; content: "|CD2060EB|"; distance: 1; within: 5; sid: 2009000107; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[32Lite v003a]"; flow: established,to_client; content: "|6006FC1E07BE|"; content: "|6A0468|"; distance: 4; within: 7; content: "|10|"; distance: 1; within: 2; content: "|68|"; distance: 2; within: 3; sid: 2009000108; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[624 (Six to Four) v10]"; flow: established,to_client; content: "|50554C5083|"; content: "|FCBF|"; distance: 2; within: 4; content: "|BE|"; distance: 2; within: 3; content: "|B5|"; distance: 2; within: 3; content: "|57F3A5C333ED|"; distance: 1; within: 7; sid: 2009000109; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AcidCrypt]"; flow: established,to_client; content: "|60B9|"; content: "|00BA|"; distance: 3; within: 5; content: "|00BE|"; distance: 3; within: 5; content: "|000238404E75FA8BC28A1832DFC0CB|"; distance: 3; within: 18; sid: 2009000110; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AcidCrypt]"; flow: established,to_client; content: "|BE|"; content: "|0238404E75FA8BC28A1832DFC0CB|"; distance: 4; within: 18; sid: 2009000111; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect 109g - Risco software Inc]"; flow: established,to_client; content: "|60F950E8010000007C58584950E8010000007E5858790466B9B872E8010000007A83C40485C8EB01EBC1F8BE72037301740F8101000000F9EB0175F9E8010000|"; sid: 2009000112; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect V13X - risco]"; flow: established,to_client; content: "|6050E8010000007583|"; sid: 2009000113; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect v141]"; flow: established,to_client; content: "|60760377017B74037501784787EEE8010000007683C40485EEEB017F85F2EB01790F8601000000FCEB0178790287F261518F051938010160EB01E9E901000000|"; sid: 2009000114; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect V14X - risco]"; flow: established,to_client; content: "|60E8010000007C83042406C3|"; sid: 2009000115; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect v190g - Risco software Inc]"; flow: established,to_client; content: "|600F87020000001BF8E8010000007383042406C3|"; sid: 2009000116; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ACProtect V20 - risco]"; flow: established,to_client; content: "|68|"; content: "|68|"; distance: 4; within: 5; content: "|C3C3|"; distance: 4; within: 6; sid: 2009000117; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ActiveMARK[TM] R5311140 - Trymedia]"; flow: established,to_client; content: "|79117FAB9A4A83B5C96B1A48F927B425|"; sid: 2009000118; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AdFlt2]"; flow: established,to_client; content: "|6800019C0FA00FA860FD6A000FA1BE|"; content: "|AD|"; distance: 2; within: 3; sid: 2009000119; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Adys Glue 110]"; flow: established,to_client; content: "|2E|"; content: "|0E1FBF|"; distance: 4; within: 7; content: "|33DB33C0AC|"; distance: 2; within: 7; sid: 2009000120; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Adys Glue v010]"; flow: established,to_client; content: "|2E8C06|"; content: "|0E0733C08ED8BE|"; distance: 2; within: 9; content: "|BF|"; distance: 2; within: 3; content: "|FCB9|"; distance: 2; within: 4; content: "|56F3A51E075F|"; distance: 2; within: 8; sid: 2009000121; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHPack 01 - FEUERRADER]"; flow: established,to_client; content: "|606854|"; content: "|00B848|"; distance: 2; within: 5; content: "|00FF1068B3|"; distance: 2; within: 7; content: "|0050B844|"; distance: 2; within: 6; content: "|00FF106800|"; distance: 2; within: 7; sid: 2009000122; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHpack 01 - FEUERRADER]"; flow: established,to_client; content: "|606854|"; content: "|B848|"; distance: 3; within: 5; content: "|FF1068B3|"; distance: 3; within: 7; content: "|50B844|"; distance: 3; within: 6; content: "|FF106800|"; distance: 3; within: 7; content: "|6A40FFD08905CA|"; distance: 3; within: 10; content: "|89C7BE0010|"; distance: 3; within: 8; content: "|60FCB28031DBA4B302E86D00000073F631C9E864000000731C31C0E85B0000007323B30241|"; distance: 2; within: 39; sid: 2009000123; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake ASPack 212) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE060E803000000E9EB045D4555C3E801000000EB5DBBEDFFFFFF03DD81EB|"; distance: 46; within: 78; sid: 2009000124; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake ASProtect 10) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE060E801000000905D81ED00000000BB0000000003DD2B9D|"; distance: 46; within: 72; sid: 2009000125; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake Borland Delphi 60-70) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE0538BD833C0A3000000006A00E8000000FFA300000000A100000000A30000000033C0A30000000033C0A300000000E8|"; distance: 46; within: 96; sid: 2009000126; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake kkryptor 9kryptor a) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE060E8|"; distance: 46; within: 51; content: "|5EB9000000002BC002040ED3C04979F8418D7E2C3346|"; distance: 4; within: 26; content: "|66B9|"; distance: 1; within: 3; sid: 2009000127; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake Microsoft Visual C 70) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE06A0068|"; distance: 46; within: 52; content: "|E8|"; distance: 4; within: 5; content: "|BF|"; distance: 4; within: 5; content: "|8BC7E8|"; distance: 4; within: 7; content: "|8965008BF4893E56FF15|"; distance: 4; within: 14; content: "|8B4E|"; distance: 4; within: 6; content: "|890D|"; distance: 1; within: 3; content: "|008B4600A3|"; distance: 3; within: 8; sid: 2009000128; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake PCGuard 403-415) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE0FC5550E8000000005DEB01E360E803000000D2EB0B58EB014840EB01|"; distance: 46; within: 77; sid: 2009000129; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake PE Lock NT 204) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE0EB03CD20C71EEB03CD20EA9CEB02EB01EB01EB60EB03CD20EBEB01EB|"; distance: 46; within: 77; sid: 2009000130; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake PE-Crypt 102) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE0E8000000005B83EB05EB04524E44|"; distance: 46; within: 63; sid: 2009000131; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake PESHiELD 2x) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE060E800000000414E414B494E5D83ED06EB02EA04|"; distance: 46; within: 69; sid: 2009000132; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake PEtite 22) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE0B800000000680000000064FF350000000064892500000000669C6050|"; distance: 46; within: 77; sid: 2009000133; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake Spalsher 1x-3x) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE09C608B442424E8000000005D81ED0000000050E8ED0200008CC00F84|"; distance: 46; within: 77; sid: 2009000134; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake Stones PE Encryptor 20) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE0535152565755E8000000005D81ED42304000FF9532354000B83730400003C52B851B34400089852734400083|"; distance: 46; within: 93; sid: 2009000135; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake SVKP 13x) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE060E8000000005D81ED06000000EB05B80000000064A023000000EB03C784E884C0EB03C784E97567B9490000008DB5C50200005680064446E2FA8B8DC10200005E55516A00|"; distance: 46; within: 118; sid: 2009000136; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake tElock 061) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE0E90000000060E8000000005883C008F3EBFFE083C02850E8000000005EB3338D460E8D76312818F87300C38BFEB93C02|"; distance: 46; within: 97; sid: 2009000137; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake VIRUSI-Worm Hybris) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE0EB16A85400004741424C4B43474300000000000052495300FC684C704000FF15|"; distance: 46; within: 81; sid: 2009000138; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake VOB ProtectCD) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE05F81EF00000000BE000040008B870000000003C657568CA700000000FF108987000000005E5F|"; distance: 46; within: 87; sid: 2009000139; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake Xtreme-Protector 105) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE0E8000000005D8100000000006A45E8A30000006800000000E8|"; distance: 46; within: 74; sid: 2009000140; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AHTeam EP Protector 03 (fake ZCode 101) - FEUERRADER]"; flow: established,to_client; content: "|90|"; content: "|90FFE0E912000000000000000000000000000000E9FBFFFFFFC3680000000064FF35|"; distance: 46; within: 80; sid: 2009000141; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AINEXE v21]"; flow: established,to_client; content: "|A1|"; content: "|2D|"; distance: 2; within: 3; content: "|8ED0BC|"; distance: 2; within: 5; content: "|8CD836A3|"; distance: 2; within: 6; content: "|05|"; distance: 2; within: 3; content: "|36A3|"; distance: 2; within: 4; content: "|2EA1|"; distance: 2; within: 4; content: "|8AD4B104D2EAFEC9|"; distance: 2; within: 10; sid: 2009000142; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AINEXE v230]"; flow: established,to_client; content: "|0E07B9|"; content: "|BE|"; distance: 2; within: 3; content: "|33FFFCF3A4A1|"; distance: 2; within: 8; content: "|2D|"; distance: 2; within: 3; content: "|8ED0BC|"; distance: 2; within: 5; content: "|8CD8|"; distance: 2; within: 4; sid: 2009000143; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Alex Protector v10 - Alex]"; flow: established,to_client; content: "|60E8000000005D81ED06104000E824000000EB01E98B|"; sid: 2009000144; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Alloy 4x - PGWare LLC]"; flow: established,to_client; content: "|9C60E80200000033C08BC483C004938BE38B5BFC81EB0730400087DD6A04680010000068000200006A00FF95A83340000BC00F84F601000089852E33400083BDE832400001740D83BDE432400001742A8BF8EB3E68|"; sid: 2009000145; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Alloy v1x2000]"; flow: established,to_client; content: "|9C60E802|"; content: "|33C08BC483C004938BE38B5BFC81EB072040|"; distance: 3; within: 21; content: "|87DD6A0468|"; distance: 1; within: 6; content: "|10|"; distance: 1; within: 2; content: "|68|"; distance: 2; within: 3; content: "|02|"; distance: 1; within: 2; content: "|6A|"; distance: 2; within: 3; content: "|FF95462340|"; distance: 1; within: 6; content: "|0B|"; distance: 1; within: 2; sid: 2009000146; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Aluwain v809]"; flow: established,to_client; content: "|8BEC1EE8|"; content: "|9D5E|"; distance: 2; within: 4; sid: 2009000147; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ANDpakk2 018 - by Dmitry AND Andreev]"; flow: established,to_client; content: "|FCBED4004000BF00|"; content: "|005783CDFF33C9F9EB05A402DB75058A1E4612DB72F433C04002DB75058A1E4612DB13C002DB75058A1E4612DB720E4802DB75058A1E4612DB13C0EBDC83E803720FC1E008AC83F0FF744DD1F88BE8EB0902DB75058A1E4612DB13C902DB75058A1E4612DB13C9751A4102DB75058A1E4612DB13C902DB75058A1E4612DB73EA83C10281FD00FBFFFF83D101568D342FF3A45EE973FFFFFFC3|"; distance: 2; within: 155; sid: 2009000148; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Anskya Binder v11 - Anskya]"; flow: established,to_client; content: "|BE|"; content: "|00BBF811400033ED83EE04392E7411|"; distance: 3; within: 18; sid: 2009000149; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Anslym Crypter]"; flow: established,to_client; content: "|558BEC83C4F05356B838170510E85A45FBFF33C05568211C051064FF30648920EB08FCFCFCFCFCFC2754E8854CFBFF6A00E80E47FBFF6A0AE82749FBFFE8EA47FBFF6A0A68301C0510A16056051050E86847FBFF8BD885DB0F84B602000053A16056051050E8F248FBFF8BF085F60F84A0020000E8F3|"; sid: 2009000150; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Anslym FUD Crypter]"; flow: established,to_client; content: "|558BEC83C4F05356B838170510E85A45FBFF33C05568211C051064FF30648920EB08FCFCFCFCFCFC2754E8854CFBFF6A00E80E47FBFF6A0AE82749FBFFE8EA47FBFF6A0A|"; sid: 2009000151; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Anticrack Software Protector v109 (ACProtect)]"; flow: established,to_client; content: "|60|"; content: "|0000|"; distance: 8; within: 10; content: "|E801000000|"; distance: 12; within: 17; content: "|83042406C3|"; distance: 1; within: 6; content: "|00|"; distance: 5; within: 6; sid: 2009000152; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AntiDote 10 Beta - SIS-Team]"; flow: established,to_client; content: "|E8BBFFFFFF84C0742F680401000068C02360006A00FF1508106000E840FFFFFF506878116000686811600068C0236000E8ABFDFFFF83C41033C0C210009090908B4C2408568B74240833D28BC6F7F18BC685D2740833D2F7F1400FAFC15EC3908B4424045355568B483C5703C833D28B79548B71388BC7F7F685D2740C8BC733D2F7F68BF8470FAFFE33C033DB668B41148D54081833C0668B4106895424148D68FF85ED7C3733C0|"; sid: 2009000153; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AntiDote 12 Beta (Demo) - SIS-Team]"; flow: established,to_client; content: "|6869D60000E8C6FDFFFF6869D60000E8BCFDFFFF83C408E8A4FFFFFF84C0742F680401000068B02160006A00FF1508106000E829FFFFFF506888106000687810600068B0216000E8A4FDFFFF83C41033C0C210009090909090909090909090908B4C2408568B74240833D28BC6F7F18BC685D2740833D2F7F1400FAFC15EC3908B4424045355568B483C5703C833D28B79548B71388BC7F7F685D2740C8BC733D2F7F68BF8470FAFFE33C033DB668B41148D54081833C0|"; sid: 2009000154; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AntiDote 1214 SE DLL - SIS-Team]"; flow: established,to_client; content: "|EB1066623A432B2B484F4F4B90E9083290909090909090909090807C2408010F85|"; content: "|60BE|"; distance: 4; within: 6; content: "|8DBE|"; distance: 4; within: 6; content: "|5783CDFFEB0B908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73|"; distance: 4; within: 51; content: "|75|"; distance: 1; within: 2; content: "|8B1E83EEFC11DB|"; distance: 1; within: 8; sid: 2009000155; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AntiDote 14 SE - SIS-Team]"; flow: established,to_client; content: "|6890030000E8C6FDFFFF6890030000E8BCFDFFFF6890030000E8B2FDFFFF50E8ACFDFFFF50E8A6FDFFFF6869D60000E89CFDFFFF50E896FDFFFF50E890FDFFFF83C420E878FFFFFF84C0744F680401000068102260006A00FF15081060006890030000E868FDFFFF6869D60000E85EFDFFFF50E858FDFFFF50E852FDFFFFE8DDFEFFFF5068A410600068941060006810226000E858FDFFFF83C42033C0C210008B4C2408568B74240833D28BC6F7F18BC685D2740833D2F7F1400FAFC15EC3|"; sid: 2009000156; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AntiVirus Vaccine v103]"; flow: established,to_client; content: "|FA33DBB9|"; content: "|0E1F33F6FCAD35|"; distance: 2; within: 9; content: "|03D8E2|"; distance: 2; within: 5; sid: 2009000157; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[aPack v062]"; flow: established,to_client; content: "|1E068CC88ED8|"; content: "|8EC050BE|"; distance: 3; within: 7; content: "|33FFFCB6|"; distance: 2; within: 6; sid: 2009000158; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[aPack v082]"; flow: established,to_client; content: "|1E068CCBBA|"; content: "|03DA8D|"; distance: 2; within: 5; content: "|FC33F633FF484B8EC08EDB|"; distance: 3; within: 14; sid: 2009000159; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[APatch GUI v11]"; flow: established,to_client; content: "|5231C0E8FFFFFFFF|"; sid: 2009000160; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[APEX_C (BLT Apex 40) - 500mhz]"; flow: established,to_client; content: "|68|"; content: "|B9FFFFFF0001D0F7E2720148E2F7B9FF0000008B34248036FD46E2FAC3|"; distance: 4; within: 33; sid: 2009000161; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Apex_c beta - 500mhz]"; flow: established,to_client; content: "|68|"; content: "|B9FFFFFF0001D0F7E2720148E2F7B9FF0000008B34248036FD46E2FAC3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000|"; distance: 4; within: 84; sid: 2009000162; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[App Encryptor - Silent Team]"; flow: established,to_client; content: "|60E8000000005D81ED1F1F4000B97B0900008DBD671F40008BF7AC|"; sid: 2009000163; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[App Protector - Silent Team]"; flow: established,to_client; content: "|E9970000000D0A53696C656E74205465616D204170702050726F746563746F720D0A437265617465642062792053696C656E7420536F6674776172650D0A5468656E6B7A20746F20446F6368746F7220580D0A0D0A|"; sid: 2009000164; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ARC-SFX Archive]"; flow: established,to_client; content: "|8CC88CDB8ED88EC089|"; content: "|2BC3A3|"; distance: 3; within: 6; content: "|89|"; distance: 2; within: 3; content: "|BE|"; distance: 3; within: 4; content: "|B9|"; distance: 2; within: 3; content: "|BF|"; distance: 2; within: 3; content: "|BA|"; distance: 2; within: 3; content: "|FCAC32C28AD8|"; distance: 2; within: 8; sid: 2009000165; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ARM Protector 01 - by SMoKE]"; flow: established,to_client; content: "|E8040000008360EB0C5DEB054555EB04B8EBF900C3E8000000005DEB010081ED5E1F4000EB0283098DB5EF1F4000EB028309BAA3110000EB01008D8D923140008B09E81400000083EB01008BFEE8000000005883C00750C300EB04584050C38A0646EB0100D0C8E81400000083EB01002AC2E8000000005B83C30753C300EB045B4353C3EB010032C2E80B0000000032C1EB0100C0C002EB092AC25BEB01004353C38807EB0100474A75B4|"; sid: 2009000166; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ARM Protector v02- SMoKE]"; flow: established,to_client; content: "|E8040000008360EB0C5DEB054555EB04B8EBF900C3E8000000005DEB010081ED09204000EB0283098DB59A204000EB028309BA0B120000EB01008D8DA5324000|"; sid: 2009000167; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo 300a - Silicon Realms Toolworks]"; flow: established,to_client; content: "|60E8000000005D5051EB0F|"; content: "|EB0F|"; distance: 1; within: 3; content: "|EB07|"; distance: 1; within: 3; content: "|EB0F|"; distance: 1; within: 3; content: "|EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FC|"; distance: 1; within: 21; content: "|59585051EB0F|"; distance: 1; within: 7; content: "|EB0F|"; distance: 1; within: 3; content: "|EB07|"; distance: 1; within: 3; content: "|EB0F|"; distance: 1; within: 3; content: "|EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FC|"; distance: 1; within: 21; content: "|59585051EB0F|"; distance: 1; within: 7; sid: 2009000168; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo 3X-5X - Silicon Realms Toolworks]"; flow: established,to_client; content: "|60E8000000005D50510FCAF7D29CF7D20FCAEB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE99D0FC98BCAF7D1595850510FCAF7D29CF7D20FCAEB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE99D0FC98BCAF7D1595850510FCAF7D29CF7D20FCAEB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE99D0FC98BCAF7D159586033C97502EB15EB33|"; sid: 2009000169; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo 50 Dll - Silicon Realms Toolworks]"; flow: established,to_client; content: "|837C2408017505E8DE4B0000FF7424048B4C24108B54240CE8EDFEFFFF59C20C006A0C68|"; content: "|E8E52400008B4D0833FF3BCF762E6AE05833D2F7F13B450C1BC040751FE88F150000C7000C0000005757575757E82015000083C41433C0E9D50000000FAF4D0C8BF18975083BF7750333F64633DB895DE483FEE07769833D|"; distance: 4; within: 92; content: "|03754B83C60F83E6F089750C8B45083B05|"; distance: 4; within: 21; content: "|77376A04E8D723000059897DFCFF7508E8EC530000598945E4C745FCFEFFFFFFE85F0000008B5DE43BDF7411FF75085753E82BC5FFFF83C40C3BDF7561566A08FF35|"; distance: 4; within: 70; content: "|FF15|"; distance: 4; within: 6; content: "|8BD83BDF754C393D|"; distance: 4; within: 12; content: "|743356E819EDFFFF5985C00F8572FFFFFF8B45103BC70F8450FFFFFFC7000C000000E945FFFFFF33FF8B750C6A04E87D22000059C3|"; distance: 4; within: 57; sid: 2009000170; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo 500 - Silicon Realms Toolworks]"; flow: established,to_client; content: "|E8E3400000E916FEFFFF6A0C68|"; content: "|E8441500008B4D0833FF3BCF762E6AE05833D2F7F13B450C1BC040751FE836130000C7000C0000005757575757E8C712000083C41433C0E9D50000000FAF4D0C8BF18975083BF7750333F64633DB895DE483FEE07769833D|"; distance: 4; within: 92; content: "|03754B83C60F83E6F089750C8B45083B05|"; distance: 4; within: 21; content: "|77376A04E84811000059897DFCFF7508E801490000598945E4C745FCFEFFFFFFE85F0000008B5DE43BDF7411FF75085753E866D3FFFF83C40C3BDF7561566A08FF35|"; distance: 4; within: 70; content: "|FF15|"; distance: 4; within: 6; content: "|8BD83BDF754C393D|"; distance: 4; within: 12; content: "|743356E8AFF9FFFF5985C00F8572FFFFFF8B45103BC70F8450FFFFFFC7000C000000E945FFFFFF33FF8B750C6A04E8EE0F000059C3|"; distance: 4; within: 57; sid: 2009000171; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v160a]"; flow: established,to_client; content: "|558BEC6AFF689871400068482D400064A100000000506489250000000083EC58|"; sid: 2009000172; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v171]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64A1|"; distance: 4; within: 6; sid: 2009000173; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v172 - v173]"; flow: established,to_client; content: "|558BEC6AFF68E8C1|"; content: "|68F486|"; distance: 2; within: 5; content: "|64A1|"; distance: 2; within: 4; content: "|50648925|"; distance: 4; within: 8; content: "|83EC58|"; distance: 4; within: 7; sid: 2009000174; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v177]"; flow: established,to_client; content: "|558BEC6AFF68B0714000686C37400064A100000000506489250000000083EC58|"; sid: 2009000175; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v180]"; flow: established,to_client; content: "|558BEC6AFF68E8C1000068F486000064A100000000506489250000000083EC58|"; sid: 2009000176; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v182]"; flow: established,to_client; content: "|558BEC6AFF68E0C14000687481400064A100000000506489250000000083EC58|"; sid: 2009000177; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v183]"; flow: established,to_client; content: "|558BEC6AFF68E0C14000686484400064A100000000506489250000000083EC58|"; sid: 2009000178; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v184]"; flow: established,to_client; content: "|558BEC6AFF68E8C1400068F486400064A100000000506489250000000083EC58|"; sid: 2009000179; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v190]"; flow: established,to_client; content: "|558BEC6AFF6810F2400068649A400064A100000000506489250000000083EC58|"; sid: 2009000180; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v190a]"; flow: established,to_client; content: "|558BEC64FF6810F2400068149B400064A100000000506489250000000083EC58|"; sid: 2009000181; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v190b1]"; flow: established,to_client; content: "|558BEC6AFF68E0C14000680489400064A100000000506489250000000083EC58|"; sid: 2009000182; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v190b2]"; flow: established,to_client; content: "|558BEC6AFF68F0C1400068A489400064A100000000506489250000000083EC58|"; sid: 2009000183; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v190b3]"; flow: established,to_client; content: "|558BEC6AFF6808E24000689495400064A100000000506489250000000083EC58|"; sid: 2009000184; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v190b4]"; flow: established,to_client; content: "|558BEC6AFF6808E2400068B496400064A100000000506489250000000083EC58|"; sid: 2009000185; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v190c]"; flow: established,to_client; content: "|558BEC6AFF6810F2400068749D400064A100000000506489250000000083EC58|"; sid: 2009000186; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v19x]"; flow: established,to_client; content: "|558BEC6AFF6898|"; content: "|6810|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF15|"; distance: 4; within: 15; sid: 2009000187; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v1xx - v2xx]"; flow: established,to_client; content: "|558BEC538B5D08568B750C578B7D1085F6|"; sid: 2009000188; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v200]"; flow: established,to_client; content: "|558BEC6AFF680002410068C4A0400064A100000000506489250000000083EC58|"; sid: 2009000189; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v200b2-200b3]"; flow: established,to_client; content: "|558BEC6AFF6800F2400068C4A0400064A100000000506489250000000083EC58|"; sid: 2009000190; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v201]"; flow: established,to_client; content: "|558BEC6AFF680802410068049A400064A100000000506489250000000083EC58|"; sid: 2009000191; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v210b2]"; flow: established,to_client; content: "|558BEC6AFF68181241006824A0400064A100000000506489250000000083EC58|"; sid: 2009000192; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v220]"; flow: established,to_client; content: "|558BEC6AFF681012410068F4A0400064A100000000506489250000000083EC58|"; sid: 2009000193; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v220b1]"; flow: established,to_client; content: "|558BEC6AFF683012410068A4A5400064A100000000506489250000000083EC58|"; sid: 2009000194; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v250]"; flow: established,to_client; content: "|558BEC6AFF68B8|"; content: "|68F8|"; distance: 3; within: 5; content: "|64A100000000506489250000000083EC585356578965E8FF1520|"; distance: 3; within: 29; content: "|33D28AD48915D0|"; distance: 3; within: 10; sid: 2009000195; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v250b3]"; flow: established,to_client; content: "|558BEC6AFF68B8|"; content: "|68F8|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1520|"; distance: 4; within: 16; content: "|33D28AD48915D0|"; distance: 3; within: 10; sid: 2009000196; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v251]"; flow: established,to_client; content: "|558BEC6AFF68B8|"; content: "|68D0|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1520|"; distance: 4; within: 16; sid: 2009000197; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v252]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|E0|"; distance: 4; within: 5; content: "|68D464A100000000506489250000000083EC585356578965E8FF|"; distance: 4; within: 30; content: "|1538|"; distance: 3; within: 5; sid: 2009000198; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v252]"; flow: established,to_client; content: "|558BEC6AFF68E0|"; content: "|68D4|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1538|"; distance: 4; within: 16; sid: 2009000199; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v252 beta2]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|B0|"; distance: 4; within: 5; content: "|686064A100000000506489250000000083EC585356578965E8FF|"; distance: 4; within: 30; content: "|1524|"; distance: 3; within: 5; sid: 2009000200; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v252b2]"; flow: established,to_client; content: "|558BEC6AFF68B0|"; content: "|6860|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1524|"; distance: 4; within: 16; sid: 2009000201; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v253]"; flow: established,to_client; content: "|558BEC6AFF6840|"; content: "|6854|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1558|"; distance: 4; within: 16; content: "|33D28AD48915EC|"; distance: 3; within: 10; sid: 2009000202; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v253]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|40|"; distance: 4; within: 5; content: "|685464A100000000506489250000000083EC585356578965E8FF|"; distance: 4; within: 30; content: "|155833D28AD489|"; distance: 3; within: 10; sid: 2009000203; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v253b3]"; flow: established,to_client; content: "|558BEC6AFF68D8|"; content: "|6814|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF15|"; distance: 4; within: 15; sid: 2009000204; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v25x - v26x]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64A100000000506489250000000083EC585356578965E8FF1558|"; distance: 4; within: 30; content: "|33D28AD48915EC|"; distance: 3; within: 10; sid: 2009000205; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v260]"; flow: established,to_client; content: "|558BEC6AFF68D0|"; content: "|6834|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1568|"; distance: 4; within: 16; content: "|33D28AD4891584|"; distance: 3; within: 10; sid: 2009000206; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v260a]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|6894|"; distance: 4; within: 6; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF156C|"; distance: 4; within: 16; content: "|33D28AD48915B4|"; distance: 3; within: 10; sid: 2009000207; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v260b1]"; flow: established,to_client; content: "|558BEC6AFF6850|"; content: "|6874|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1558|"; distance: 4; within: 16; content: "|33D28AD48915FC|"; distance: 3; within: 10; sid: 2009000208; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v260b2]"; flow: established,to_client; content: "|558BEC6AFF6890|"; content: "|6824|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1560|"; distance: 4; within: 16; content: "|33D28AD489153C|"; distance: 3; within: 10; sid: 2009000209; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v260c]"; flow: established,to_client; content: "|558BEC6AFF6840|"; content: "|68F4|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF156C|"; distance: 4; within: 16; content: "|33D28AD48915F4|"; distance: 3; within: 10; sid: 2009000210; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v261]"; flow: established,to_client; content: "|558BEC6AFF6828|"; content: "|68E4|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF156C|"; distance: 4; within: 16; content: "|33D28AD489150C|"; distance: 3; within: 10; sid: 2009000211; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v265b1]"; flow: established,to_client; content: "|558BEC6AFF6838|"; content: "|6840|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1528|"; distance: 4; within: 16; content: "|33D28AD48915F4|"; distance: 3; within: 10; sid: 2009000212; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v275a]"; flow: established,to_client; content: "|558BEC6AFF6868|"; content: "|68D0|"; distance: 3; within: 5; content: "|64A1|"; distance: 3; within: 5; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1528|"; distance: 4; within: 16; content: "|33D28AD4891524|"; distance: 3; within: 10; sid: 2009000213; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v285]"; flow: established,to_client; content: "|558BEC6AFF6868|"; content: "|68|"; distance: 3; within: 4; content: "|64A1|"; distance: 4; within: 6; content: "|50648925|"; distance: 4; within: 8; content: "|83EC585356578965E8FF1528|"; distance: 4; within: 16; content: "|33D28AD4891524|"; distance: 3; within: 10; sid: 2009000214; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v2xx (CopyMem II)]"; flow: established,to_client; content: "|6A|"; content: "|8BB5|"; distance: 1; within: 3; content: "|C1E6048B85|"; distance: 4; within: 9; content: "|2507|"; distance: 4; within: 6; content: "|8079054883C8F84033C98A88|"; distance: 2; within: 14; content: "|8B95|"; distance: 4; within: 6; content: "|81E207|"; distance: 4; within: 7; content: "|8079054A83CAF84233C08A82|"; distance: 2; within: 14; sid: 2009000215; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v300]"; flow: established,to_client; content: "|60E8|"; content: "|5D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959586033C9|"; distance: 4; within: 45; sid: 2009000216; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v300a]"; flow: established,to_client; content: "|60E8|"; content: "|5D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959585051EB|"; distance: 4; within: 45; sid: 2009000217; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v301 v305]"; flow: established,to_client; content: "|60E8000000005D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959585051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE959585051EB0F|"; sid: 2009000218; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v310]"; flow: established,to_client; content: "|558BEC6AFF68E09744006820C0420064A100000000506489250000000083EC585356578965E8FF154C41440033D28AD4891590A144008BC881E1FF000000890D8CA14400C1E10803CA890D88A14400C1E810A384A1|"; sid: 2009000219; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v3xx]"; flow: established,to_client; content: "|60E8|"; content: "|5D5051EB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE95958|"; distance: 4; within: 42; sid: 2009000220; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v4000053 - Silicon Realms Toolworks]"; flow: established,to_client; content: "|558BEC6AFF68208B4B006880E4480064A100000000506489250000000083EC585356578965E8FF1588314B0033D28AD48915A4A14B008BC881E1FF000000890DA0A14B00C1E10803CA890D9CA14B00C1E810A398A1|"; sid: 2009000221; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v410 - Silicon Realms Toolworks]"; flow: established,to_client; content: "|558BEC6AFF68F88E4C0068D0EA490064A100000000506489250000000083EC585356578965E8FF1588314C0033D28AD489157CA54C008BC881E1FF000000890D78A54C00C1E10803CA890D74A54C00C1E810A370A5|"; sid: 2009000222; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v420 - Silicon Realms Toolworks]"; flow: established,to_client; content: "|558BEC6AFF68F88E4C0068F0EA490064A100000000506489250000000083EC585356578965E8FF1588314C0033D28AD4891584A54C008BC881E1FF000000890D80A54C00C1E10803CA890D7CA54C00C1E810A378A5|"; sid: 2009000223; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v430 - v440 - Silicon Realms Toolworks]"; flow: established,to_client; content: "|558BEC6AFF6840|"; content: "|006880|"; distance: 2; within: 5; content: "|0064A100000000506489250000000083EC585356578965E8FF1588|"; distance: 2; within: 29; content: "|0033D28AD4891530|"; distance: 2; within: 10; content: "|008BC881E1FF000000890D2C|"; distance: 2; within: 14; content: "|00C1E10803CA890D28|"; distance: 2; within: 11; content: "|00C1E810A324|"; distance: 2; within: 8; sid: 2009000224; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Armadillo v430 - v440 - Silicon Realms Toolworks]"; flow: established,to_client; content: "|60E8000000005D50510FCAF7D29CF7D20FCAEB0FB9EB0FB8EB07B9EB0F90EB08FDEB0BF2EBF5EBF6F2EB08FDEBE9F3EBE4FCE99D0FC98BCAF7D1595850510FCAF7D29CF7D20FCAEB0FB9EB0FB8EB07B9EB0F90EB08|"; sid: 2009000225; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASDPack 20 - asd]"; flow: established,to_client; content: "|8B442404565753E8CD010000C30000000000000000000000000010000000|"; sid: 2009000226; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v100b - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8|"; content: "|5D81ED921A44|"; distance: 4; within: 10; content: "|B88C1A44|"; distance: 1; within: 5; content: "|03C52B85CD1D44|"; distance: 1; within: 8; content: "|8985D91D44|"; distance: 1; within: 6; content: "|80BDC41D44|"; distance: 1; within: 6; sid: 2009000227; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v101b - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8|"; content: "|5D81EDD22A44|"; distance: 4; within: 10; content: "|B8CC2A44|"; distance: 1; within: 5; content: "|03C52B85A52E44|"; distance: 1; within: 8; content: "|8985B12E44|"; distance: 1; within: 6; content: "|80BD9C2E44|"; distance: 1; within: 6; sid: 2009000228; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v102a - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8|"; content: "|5D81ED3ED943|"; distance: 4; within: 10; content: "|B838|"; distance: 1; within: 3; content: "|03C52B850BDE43|"; distance: 3; within: 10; content: "|898517DE43|"; distance: 1; within: 6; content: "|80BD01DE43|"; distance: 1; within: 6; content: "|7515FE8501DE43|"; distance: 2; within: 9; content: "|E81D|"; distance: 1; within: 3; content: "|E87902|"; distance: 3; within: 6; content: "|E81203|"; distance: 2; within: 5; content: "|8B8503DE43|"; distance: 2; within: 7; content: "|038517DE43|"; distance: 1; within: 6; content: "|8944241C61FF|"; distance: 1; within: 7; sid: 2009000229; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v102b - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8000000005D81ED96784300B89078430003C5|"; sid: 2009000230; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v102b - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8|"; content: "|5D81ED967843|"; distance: 4; within: 10; content: "|B8907843|"; distance: 1; within: 5; content: "|03C52B857D7C43|"; distance: 1; within: 8; content: "|8985897C43|"; distance: 1; within: 6; content: "|80BD747C43|"; distance: 1; within: 6; sid: 2009000231; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v103b - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8|"; content: "|5D81EDAE9843|"; distance: 4; within: 10; content: "|B8A89843|"; distance: 1; within: 5; content: "|03C52B85189D43|"; distance: 1; within: 8; content: "|8985249D43|"; distance: 1; within: 6; content: "|80BD0E9D43|"; distance: 1; within: 6; sid: 2009000232; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v104b - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8|"; content: "|5D81ED|"; distance: 4; within: 7; content: "|B8|"; distance: 4; within: 5; content: "|03C52B85|"; distance: 4; within: 8; content: "|129D|"; distance: 1; within: 3; content: "|89851E9D|"; distance: 1; within: 5; content: "|80BD089D|"; distance: 2; within: 6; sid: 2009000233; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v105b - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8|"; content: "|5D81EDCE3A44|"; distance: 4; within: 10; content: "|B8C83A44|"; distance: 1; within: 5; content: "|03C52B85B53E44|"; distance: 1; within: 8; content: "|8985C13E44|"; distance: 1; within: 6; content: "|80BDAC3E44|"; distance: 1; within: 6; sid: 2009000234; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v1061b - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8|"; content: "|5D81EDEAA843|"; distance: 4; within: 10; content: "|B8E4A843|"; distance: 1; within: 5; content: "|03C52B8578AD43|"; distance: 1; within: 8; content: "|898584AD43|"; distance: 1; within: 6; content: "|80BD6EAD43|"; distance: 1; within: 6; sid: 2009000235; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v107b (DLL) - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8000000005D|"; content: "|B8|"; distance: 6; within: 7; content: "|03C5|"; distance: 4; within: 6; sid: 2009000236; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v107b - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8|"; content: "|5D81ED|"; distance: 4; within: 7; content: "|B8|"; distance: 4; within: 5; content: "|03C52B85|"; distance: 4; within: 8; content: "|0BDE|"; distance: 1; within: 3; content: "|898517DE|"; distance: 1; within: 5; content: "|80BD01DE|"; distance: 2; within: 6; sid: 2009000237; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v10801 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60EB0A5DEB02FF2545FFE5E8E9E8F1FFFFFFE981|"; content: "|4400BB10|"; distance: 3; within: 7; content: "|440003DD2B9D|"; distance: 1; within: 7; sid: 2009000238; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v10801 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60EB0A5DEB02FF2545FFE5E8E9E8F1FFFFFFE981|"; content: "|44|"; distance: 3; within: 4; content: "|BB10|"; distance: 1; within: 3; content: "|44|"; distance: 1; within: 2; content: "|03DD2B9D|"; distance: 1; within: 5; sid: 2009000239; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v10801 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60EB|"; content: "|5DEB|"; distance: 1; within: 3; content: "|FF|"; distance: 1; within: 2; content: "|E9|"; distance: 5; within: 6; sid: 2009000240; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v10802 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60EB0A5DEB02FF2545FFE5E8E9E8F1FFFFFFE981ED236A4400BB10|"; content: "|440003DD2B9D72|"; distance: 1; within: 8; sid: 2009000241; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v10803 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8000000005D81ED0A4A4400BB044A440003DD|"; sid: 2009000242; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v10803 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8000000005D81ED0A4A4400BB044A440003DD2B9DB150440083BDAC50440000899DBB4E|"; sid: 2009000243; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v10803 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8000000005D|"; content: "|BB|"; distance: 6; within: 7; content: "|03DD|"; distance: 4; within: 6; sid: 2009000244; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v10803 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E8000000005D|"; content: "|BB|"; distance: 6; within: 7; content: "|03DD2B9DB150440083BDAC50440000899DBB4E|"; distance: 4; within: 23; sid: 2009000245; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v10804 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E841060000EB41|"; sid: 2009000246; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v108x - Alexey Solodovnikov]"; flow: established,to_client; content: "|60EB035DFFE5E8F8FFFFFF81ED1B6A4400BB106A440003DD2B9D2A|"; sid: 2009000247; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2000 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E870050000EB4C|"; sid: 2009000248; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2001 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E872050000EB4C|"; sid: 2009000249; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v21 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E872050000EB3387DB9000|"; sid: 2009000250; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v211b - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E802000000EB095D5581ED39394400C3E93D040000|"; sid: 2009000251; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v211c - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E802000000EB095D5581ED39394400C3E959040000|"; sid: 2009000252; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v211d - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E802000000EB095D55|"; sid: 2009000253; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v212 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E803000000E9EB045D4555C3E801|"; sid: 2009000254; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v212 - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E803000000E9EB045D4555C3E801000000EB5DBBEDFFFFFF03DD81EB|"; sid: 2009000255; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2xx - Alexey Solodovnikov]"; flow: established,to_client; content: "|A8030000617508B801000000C20C006800000000C38B85260400008D8D3B0400005150FF95|"; sid: 2009000256; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPack v2xx - Alexey Solodovnikov]"; flow: established,to_client; content: "|A803|"; content: "|617508B801|"; distance: 2; within: 7; content: "|C20C|"; distance: 3; within: 5; content: "|68|"; distance: 1; within: 2; content: "|C38B852604|"; distance: 4; within: 9; content: "|8D8D3B04|"; distance: 2; within: 6; content: "|5150FF95|"; distance: 2; within: 6; sid: 2009000257; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASPR Stripper v2x unpacked]"; flow: established,to_client; content: "|BB|"; content: "|E9|"; distance: 4; within: 5; content: "|609CFCBF|"; distance: 4; within: 8; content: "|B9|"; distance: 4; within: 5; content: "|F3AA9D61C3558BEC|"; distance: 4; within: 12; sid: 2009000258; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect 133 - 21 Registered - Alexey Solodovnikov]"; flow: established,to_client; content: "|6801|"; content: "|E801000000C3C3|"; distance: 3; within: 10; sid: 2009000259; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect SKE 21x (dll) - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E803000000E9EB045D4555C3E801000000EB5DBBEDFFFFFF03DD81EB00|"; content: "|807D4D01750C8B74242883FE01895D4E75318D45535053FFB5ED0900008D453550E9820000000000000000000000000000000000|"; distance: 3; within: 55; sid: 2009000260; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v10]"; flow: established,to_client; content: "|60E801|"; content: "|905D81ED|"; distance: 3; within: 7; content: "|BB|"; distance: 4; within: 5; content: "|03DD2B9D|"; distance: 4; within: 8; sid: 2009000261; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v11]"; flow: established,to_client; content: "|60E9|"; content: "|04|"; distance: 1; within: 2; content: "|E9|"; distance: 2; within: 3; content: "|EE|"; distance: 7; within: 8; sid: 2009000262; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v11 MTE]"; flow: established,to_client; content: "|60E9|"; content: "|9178797979E9|"; distance: 4; within: 10; sid: 2009000263; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v11 MTEc]"; flow: established,to_client; content: "|9060E81B|"; content: "|E9FC|"; distance: 3; within: 5; sid: 2009000264; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v123 RC1]"; flow: established,to_client; content: "|6801|"; content: "|00E801000000C3C3|"; distance: 2; within: 10; sid: 2009000265; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v123 RC4 build 0807 (dll) - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E803000000E9EB045D4555C3E801000000EB5DBBEDFFFFFF03DD81EB00|"; content: "|807D4D01750C8B74242883FE01895D4E75318D45535053FFB5D50900008D453550E9820000000000000000000000000000000000|"; distance: 3; within: 55; sid: 2009000266; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v12x]"; flow: established,to_client; content: "|00006801|"; content: "|C3AA|"; distance: 3; within: 5; sid: 2009000267; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect v12x (New Strain)]"; flow: established,to_client; content: "|6801|"; content: "|E801|"; distance: 3; within: 5; content: "|C3C3|"; distance: 3; within: 5; sid: 2009000268; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect V2X DLL - Alexey Solodovnikov]"; flow: established,to_client; content: "|60E803000000E9|"; content: "|5D4555C3E801000000EB5DBB|"; distance: 2; within: 14; content: "|03DD|"; distance: 4; within: 6; sid: 2009000269; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ASProtect vxx]"; flow: established,to_client; content: "|60|"; content: "|905D|"; distance: 5; within: 7; content: "|03DD|"; distance: 11; within: 13; sid: 2009000270; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ass - crypter - by santasdad]"; flow: established,to_client; content: "|558BEC83C4EC53|"; content: "|8945ECB898400010E8ACEAFFFF33C055687851001064|"; distance: 4; within: 26; content: "|206A0A6888510010A1E097001050E8D8EAFFFF8BD853A1E097001050E812EBFFFF8BF853A1E097001050E8DCEAFFFF8BD853E8DCEAFFFF8BF085F674268BD74AB8F0970010E8C9E7FFFFB8F0970010E8B7E7FFFF8BCF8BD6E8EEEAFFFF53E898EAFFFF8D4DECBA9C510010A1F0970010E822EBFFFF8B55ECB8F0970010E889E6FFFFB8F0970010E87FE7FFFFE86EECFFFF33C05A5959648910687F5100108D45ECE811E6FFFFC3E9FFDFFFFFEBF05F5E5BE80DE5FFFF0053455454494E475300000000FFFFFFFF1C000000454E54455220594F5552204F574E2050415353574F52442048455245|"; distance: 4; within: 235; sid: 2009000271; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AverCryptor 10 - os1r1s]"; flow: established,to_client; content: "|60E8000000005D81ED751740008BBD9C1840008B8DA4184000B8BC18400003C580300583F9007471817F1CAB00000075628B570C0395A018400033C05133C966B9FA006683F90074498B570C0395A01840008B85A818400083F802750681C200020000518B4F1083F802750681E90002000057BFC80000008BF1E8270000008BC85FB8BC18400003C5E8240000005949EBB15983C72849EB8A8B85981840008944241C61FFE056574FF7D723F78BC65F5EC3|"; sid: 2009000272; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AverCryptor 102 beta - os1r1s]"; flow: established,to_client; content: "|60E8000000005D81ED0C1740008BBD331840008B8D3B184000B85118400003C580300583F9007471817F1CAB00000075628B570C03953718400033C05133C966B9F7006683F90074498B570C0395371840008B853F18400083F802750681C200020000518B4F1083F802750681E90002000057BFC80000008BF1E8270000008BC85FB85118400003C5E8240000005949EBB15983C72849EB8A8B852F1840008944241C61FFE056574FF7D723F78BC65F5EC3|"; sid: 2009000273; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AVPACK v120]"; flow: established,to_client; content: "|501E0E1F160733F68BFEB9|"; content: "|FCF3A506BB|"; distance: 2; within: 7; content: "|53CB|"; distance: 2; within: 4; sid: 2009000274; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[AZProtect 0001 - by AlexZ aka AZCRC]"; flow: established,to_client; content: "|EB70FC608C804D110070258100400D91BB608C804D11007021811D610D810040CE608C804D11007025812581258125812961418131611D610040B73000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060BE00|"; content: "|00BF00004000EB174B45524E454C33322E444C4C0000000000FF25|"; distance: 2; within: 29; content: "|008BC603C78BF857558BEC057F00000050E8E5FFFFFFBA8C|"; distance: 3; within: 27; content: "|008902E91A010000|"; distance: 2; within: 10; content: "|0000004765744D6F64756C6546696C654E616D654100476574566F6C756D65496E666F726D6174696F6E41004D657373616765426F7841004578697450726F63657373004765744D6F64756C6548616E646C6541|"; distance: 1; within: 85; sid: 2009000275; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[bambam 001 - bedrock]"; flow: established,to_client; content: "|6A14E89A0500008BD85368|"; content: "|E86CFDFFFFB9050000008BF3BF|"; distance: 4; within: 17; content: "|53F3A5E88D0500008B3D|"; distance: 4; within: 14; content: "|A1|"; distance: 4; within: 5; content: "|668B15|"; distance: 4; within: 7; content: "|B9|"; distance: 4; within: 5; content: "|2BCF8945E8890D|"; distance: 4; within: 11; content: "|668955EC8B413C33D203C183C410668B4806668B501481E1FFFF00008D5C02188D41FF85C0|"; distance: 4; within: 41; sid: 2009000276; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[bambam 004 - bedrock]"; flow: established,to_client; content: "|BF|"; content: "|83C9FF33C068|"; distance: 4; within: 10; content: "|F2AEF7D1495168|"; distance: 4; within: 11; content: "|E8110A000083C40C68|"; distance: 4; within: 13; content: "|FF15|"; distance: 4; within: 6; content: "|8BF0BF|"; distance: 4; within: 7; content: "|83C9FF33C0F2AEF7D149BF|"; distance: 4; within: 15; content: "|8BD168|"; distance: 4; within: 7; content: "|C1E902F3AB8BCA83E103F3AABF|"; distance: 4; within: 17; content: "|83C9FF33C0F2AEF7D1495168|"; distance: 4; within: 16; content: "|E8C0090000|"; distance: 4; within: 9; sid: 2009000277; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[beria v007 public WIP -- symbiont]"; flow: established,to_client; content: "|83EC18538B1D0030|"; content: "|555657683007000033ED55FFD38BF03BF5740D89AE20070000E8880F0000EB0233F66A105589353040|"; distance: 2; within: 43; content: "|FFD38BF03BF57409892EE83CFEFFFFEB0233F66A18558935D843|"; distance: 2; within: 28; content: "|FFD38BF0|"; distance: 2; within: 6; sid: 2009000278; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRo Tiny Pascal - BeRo]"; flow: established,to_client; content: "|E9|"; content: "|20436F6D70696C65642062793A204265526F54696E7950617363616C202D2028432920436F7079726967687420323030362C2042656E6A616D696E20274265526F2720526F73736561757820|"; distance: 4; within: 80; sid: 2009000279; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v100 DLL [LZBRR] - BeRo Farbrausch]"; flow: established,to_client; content: "|837C2408010F85|"; content: "|60BE|"; distance: 4; within: 6; content: "|BF|"; distance: 4; within: 5; content: "|FCB28033DBA4B302E8|"; distance: 4; within: 13; content: "|73F633C9E8|"; distance: 4; within: 9; content: "|731C33C0E8|"; distance: 4; within: 9; content: "|7323B30241B010|"; distance: 4; within: 11; sid: 2009000280; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v100 DLL [LZBRS] - BeRo Farbrausch]"; flow: established,to_client; content: "|837C2408010F85|"; content: "|60BE|"; distance: 4; within: 6; content: "|BF|"; distance: 4; within: 5; content: "|FCAD8D1C07B0803BFB733BE8|"; distance: 4; within: 16; content: "|7203A4EBF2E8|"; distance: 4; within: 10; content: "|8D51FFE8|"; distance: 4; within: 8; content: "|568BF72BF2F3A45EEBDB02C07503AC12C0C333|"; distance: 4; within: 23; sid: 2009000281; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v100 DLL [LZMA] - BeRo Farbrausch]"; flow: established,to_client; content: "|837C2408010F85|"; content: "|6068|"; distance: 4; within: 6; content: "|68|"; distance: 4; within: 5; content: "|68|"; distance: 4; within: 5; content: "|E8|"; distance: 4; within: 5; content: "|BE|"; distance: 4; within: 5; content: "|B9|"; distance: 4; within: 5; content: "|8BF981FE|"; distance: 4; within: 8; content: "|7F10AC4704182C0273F0293E03F103F9EBE8|"; distance: 4; within: 22; sid: 2009000282; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v100 [LZBRR] - BeRo Farbrausch]"; flow: established,to_client; content: "|60BE|"; content: "|BF|"; distance: 4; within: 5; content: "|FCB28033DBA4B302E8|"; distance: 4; within: 13; content: "|73F633C9E8|"; distance: 4; within: 9; content: "|731C33C0E8|"; distance: 4; within: 9; content: "|7323B30241B010|"; distance: 4; within: 11; sid: 2009000283; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v100 [LZBRS] - BeRo Farbrausch]"; flow: established,to_client; content: "|60BE|"; content: "|BF|"; distance: 4; within: 5; content: "|FCAD8D1C07B0803BFB733BE8|"; distance: 4; within: 16; content: "|7203A4EBF2E8|"; distance: 4; within: 10; content: "|8D51FFE8|"; distance: 4; within: 8; content: "|568BF72BF2F3A45EEBDB02C07503AC12C0C333|"; distance: 4; within: 23; sid: 2009000284; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BeRoEXEPacker v100 [LZMA] - BeRo Farbrausch]"; flow: established,to_client; content: "|6068|"; content: "|68|"; distance: 4; within: 5; content: "|68|"; distance: 4; within: 5; content: "|E8|"; distance: 4; within: 5; content: "|BE|"; distance: 4; within: 5; content: "|B9040000008BF981FE|"; distance: 4; within: 13; content: "|7F10AC4704182C0273F0293E03F103F9EBE8|"; distance: 4; within: 22; sid: 2009000285; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BlackEnergy DDoS Bot Crypter]"; flow: established,to_client; content: "|55|"; content: "|81EC1C0100005356576A04BE0030000056FF35002011136A00E8|"; distance: 2; within: 28; content: "|030000|"; distance: 1; within: 4; content: "|83C410|"; distance: 2; within: 5; content: "|FF897DF40F|"; distance: 1; within: 6; sid: 2009000286; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Blade Joiner v15]"; flow: established,to_client; content: "|558BEC81C4E4FEFFFF53565733C08945F08985|"; sid: 2009000287; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BobPack v100 -- BoB BobSoft]"; flow: established,to_client; content: "|60E8000000008B0C2489CD83E90681ED|"; content: "|E83D0000008985|"; distance: 4; within: 11; content: "|89C2B85D0A00008D0408E8E40000008B700401D6E876000000E851010000E80101|"; distance: 4; within: 37; sid: 2009000288; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BobSoft Mini Delphi - BoB BobSoft]"; flow: established,to_client; content: "|558BEC83C4F05356B8|"; content: "|E8|"; distance: 4; within: 5; content: "|33C05568|"; distance: 4; within: 8; content: "|64FF30648920B8|"; distance: 4; within: 11; sid: 2009000289; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BobSoft Mini Delphi - BoB BobSoft]"; flow: established,to_client; content: "|558BEC83C4F053B8|"; content: "|E8|"; distance: 4; within: 5; content: "|33C05568|"; distance: 4; within: 8; content: "|64FF30648920B8|"; distance: 4; within: 11; content: "|E8|"; distance: 4; within: 5; sid: 2009000290; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BobSoft Mini Delphi - BoB BobSoft]"; flow: established,to_client; content: "|558BEC83C4F0B8|"; content: "|E8|"; distance: 4; within: 5; sid: 2009000291; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[BopCrypt v10]"; flow: established,to_client; content: "|60BD|"; content: "|E8|"; distance: 4; within: 5; content: "|0000|"; distance: 2; within: 4; sid: 2009000292; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CD-Cops II]"; flow: established,to_client; content: "|5360BD|"; content: "|8D45|"; distance: 4; within: 6; content: "|8D5D|"; distance: 1; within: 3; content: "|E8|"; distance: 1; within: 2; content: "|8D|"; distance: 4; within: 5; sid: 2009000293; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CDS SS 10 beta1 - CyberDoom]"; flow: established,to_client; content: "|60E8000000005D81EDCA474000FF742420E8D30300000BC00F84130300008985B84E4000668CD8A804740CC7858C4E400001000000EB1264A1300000000FB640020AC00F85E80200008D85F64C400050FFB5B84E4000E8FC0300000BC00F84CE020000E81E0300008985904E40008D85034D400050FFB5B84E4000E8D70300000BC00F84A9020000E8F90200008985944E40008D85124D400050|"; sid: 2009000294; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CDS SS v10 Beta 1 - CyberDoom Team-X]"; flow: established,to_client; content: "|60E8000000005D81EDCA474000FF742420E8D30300000BC00F84130300008985B84E4000668CD8A804740CC7858C4E400001000000EB1264A1300000000FB640020AC00F85E80200008D85F64C400050FFB5B84E4000E8FC0300000BC00F84CE020000E81E0300008985904E40008D85034D400050FFB5B8|"; sid: 2009000295; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Celsius Crypt 21 - Z3r0]"; flow: established,to_client; content: "|5589E583EC08C7042401000000FF1584924400E8C8FEFFFF908DB426000000005589E583EC08C7042402000000FF1584924400E8A8FEFFFF908DB42600000000558B0DC492440089E55DFFE18D742600558B0DAC92440089E55DFFE1909090905589E55DE977C20000909090909090905589E583EC288B4510890424E83F140100488945FC8B450C488945F48D45F4894424048D45FC890424E812A303008B008945F88B45FC8945F0C645EF01C745E8000000008B45E83B45F87339807DEF0074338B45F0894424048B4510890424E81C1A010089C18B45088B55E801C20FB6013A020F94C08845EF8D45F0FF088D45E8FF00EBBF837DF0007434807DEF00742E8B45F0894424048B4510890424E8DD19010089C18B45088B55F801C20FB6013A020F94C08845EF8D45F0FF08EBC6C7442404000000008B4510890424E8AE19010089C18B45088B55F801C20FB6013A027F0C0FB645EF83E0018845E7EB04C645E7000FB645E78845EF0FB645EFC9C3|"; sid: 2009000296; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CERBERUS v20]"; flow: established,to_client; content: "|9C2BED8C|"; content: "|8C|"; distance: 2; within: 3; content: "|FAE4|"; distance: 2; within: 4; content: "|88|"; distance: 1; within: 2; content: "|1607BF|"; distance: 2; within: 5; content: "|8EDD9BF5B9|"; distance: 2; within: 7; content: "|FCF3A5|"; distance: 2; within: 5; sid: 2009000297; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CExe v10a]"; flow: established,to_client; content: "|558BEC81EC0C02|"; content: "|56BE0401|"; distance: 2; within: 6; content: "|8D85F8FEFFFF56506A|"; distance: 2; within: 11; content: "|FF15541040|"; distance: 1; within: 6; content: "|8A8DF8FEFFFF33D284C98D85F8FEFFFF7416|"; distance: 1; within: 19; sid: 2009000298; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CHECKPRG (c) 1992]"; flow: established,to_client; content: "|33C0BE|"; content: "|8BD8B9|"; distance: 2; within: 5; content: "|BF|"; distance: 2; within: 3; content: "|BA|"; distance: 2; within: 3; content: "|474A74|"; distance: 2; within: 5; sid: 2009000299; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ChSfx (small) v11]"; flow: established,to_client; content: "|BA|"; content: "|E8|"; distance: 2; within: 3; content: "|8BEC83EC|"; distance: 2; within: 6; content: "|8CC8BB|"; distance: 1; within: 4; content: "|B1|"; distance: 2; within: 3; content: "|D3EB03C38ED805|"; distance: 1; within: 8; content: "|89|"; distance: 2; within: 3; sid: 2009000300; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CICompress v10]"; flow: established,to_client; content: "|6A046800100000FF359C1440006A00FF1538104000A3FC10400097BE00204000E8710000003B059C14400075616A006A206A026A006A0368000000C06894104000FF152C104000A3F81040006A0068F4104000FF35|"; sid: 2009000301; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CipherWall Self-ExtratorDecryptor (Console) v15]"; flow: established,to_client; content: "|9061BE001042008DBE0000FEFFC787C02002000B6E5B9B5783CDFFEB0E909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E4|"; sid: 2009000302; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CipherWall Self-ExtratorDecryptor (GUI) v15]"; flow: established,to_client; content: "|9061BE001042008DBE0000FEFFC787C0200200F989C76A5783CDFFEB0E909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E4|"; sid: 2009000303; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Code-Lock vxx]"; flow: established,to_client; content: "|434F44452D4C4F434B2E4F435800|"; sid: 2009000304; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CodeCrypt v014b]"; flow: established,to_client; content: "|E9C5020000EB02833D58EB02FF1D5BEB020FC75F|"; sid: 2009000305; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CodeCrypt v015b]"; flow: established,to_client; content: "|E931030000EB02833D58EB02FF1D5BEB020FC75F|"; sid: 2009000306; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CodeCrypt v0164]"; flow: established,to_client; content: "|E92E030000EB02833D58EB02FF1D5BEB020FC75FEB03FF1D34|"; sid: 2009000307; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CodeCrypt v016b - v0163b]"; flow: established,to_client; content: "|E92E030000EB02833D58EB02FF1D5BEB020FC75F|"; sid: 2009000308; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[codeCrypter 031 - Tibbar]"; flow: established,to_client; content: "|5058535B90BB|"; content: "|00FFE390CCCCCC558BEC5DC3CCCCCCCCCCCCCCCCCCCCCC|"; distance: 3; within: 26; sid: 2009000309; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[COP v10 (c) 1988]"; flow: established,to_client; content: "|BF|"; content: "|BE|"; distance: 2; within: 3; content: "|B9|"; distance: 2; within: 3; content: "|AC32|"; distance: 2; within: 4; content: "|AAE2|"; distance: 3; within: 5; content: "|8B|"; distance: 1; within: 2; content: "|EB|"; distance: 3; within: 4; content: "|90|"; distance: 1; within: 2; sid: 2009000310; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Copy Protector v20]"; flow: established,to_client; content: "|2EA2|"; content: "|5351521E06B4|"; distance: 2; within: 8; content: "|1E0E1FBA|"; distance: 1; within: 5; content: "|CD211F|"; distance: 2; within: 5; sid: 2009000311; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CopyControl v303]"; flow: established,to_client; content: "|CC9090EB0B0150515253546133612D35CAD10752D1A13C|"; sid: 2009000312; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CopyMinder - MicrocosmLtd]"; flow: established,to_client; content: "|8325|"; content: "|EF6A00E8|"; distance: 4; within: 8; content: "|E8|"; distance: 4; within: 5; content: "|CCFF25|"; distance: 4; within: 7; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; content: "|FF25|"; distance: 4; within: 6; sid: 2009000313; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CPAV]"; flow: established,to_client; content: "|E8|"; content: "|4D5AB1019301000002|"; distance: 2; within: 11; sid: 2009000314; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrackStop v101 (c) Stefan Esser 1997]"; flow: established,to_client; content: "|B448BBFFFFB9EB278BECCD21FAFC|"; sid: 2009000315; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CreateInstall Stub vxx]"; flow: established,to_client; content: "|558BEC81EC200200005356576A00FF15186140006800704000894508FF151461400085C074276A00A10020400050FF153C6140008BF06A0656FF15386140006A0356FF1538614000E93603000068027F000033F656|"; sid: 2009000316; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crinkler V01-V02 - Rune LHStubbe and Aske Simon Christensen]"; flow: established,to_client; content: "|B9|"; content: "|01C068|"; distance: 4; within: 7; content: "|6A0058506A005F485DBB03000000BE|"; distance: 4; within: 19; content: "|E9|"; distance: 4; within: 5; sid: 2009000317; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crinkler V03-V04 - Rune LHStubbe and Aske Simon Christensen]"; flow: established,to_client; content: "|B80000420031DB43EB58|"; sid: 2009000318; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crunch v40]"; flow: established,to_client; content: "|EB100000000000000000000000000000000055E8000000005D81ED180000008BC555609C2B85E90600008985E1060000FF74242CE8BB0100000F8292050000E8F1030000490F8886050000686CD9B29633C050E824|"; sid: 2009000319; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crunch v5 - Bit-Arts]"; flow: established,to_client; content: "|EB1503000000060000000000000000000000680000000055E8000000005D81ED1D0000008BC555609C2B85FC0700008985E8070000FF74242CE8200200000F8294060000E8F3040000490F88880600008BB5E80700|"; sid: 2009000320; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrunchPE]"; flow: established,to_client; content: "|55E8|"; content: "|5D83ED068BC5556089AD|"; distance: 4; within: 14; content: "|2B85|"; distance: 4; within: 6; sid: 2009000321; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrunchPE v10xx]"; flow: established,to_client; content: "|55E8|"; content: "|5D83ED068BC5556089AD|"; distance: 4; within: 14; content: "|2B85|"; distance: 4; within: 6; content: "|8985|"; distance: 4; within: 6; content: "|80BD|"; distance: 4; within: 6; content: "|7509C685|"; distance: 5; within: 9; sid: 2009000322; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrunchPE v20xx]"; flow: established,to_client; content: "|55E8|"; content: "|5D83ED068BC5556089AD|"; distance: 4; within: 14; content: "|2B85|"; distance: 4; within: 6; content: "|8985|"; distance: 4; within: 6; content: "|55BB|"; distance: 4; within: 6; content: "|03DD536467FF36|"; distance: 4; within: 11; content: "|64678926|"; distance: 2; within: 6; sid: 2009000323; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrunchPE v30xx]"; flow: established,to_client; content: "|EB10|"; content: "|55E8|"; distance: 16; within: 18; content: "|5D81ED18|"; distance: 4; within: 8; content: "|8BC555609C2B85|"; distance: 3; within: 10; content: "|8985|"; distance: 4; within: 6; content: "|FF74|"; distance: 4; within: 6; sid: 2009000324; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Cruncher v10]"; flow: established,to_client; content: "|2E|"; content: "|2E|"; distance: 4; within: 5; content: "|B430CD213C0373|"; distance: 3; within: 10; content: "|BB|"; distance: 1; within: 2; content: "|8EDB8D|"; distance: 2; within: 5; content: "|B409CD210633C050CB|"; distance: 3; within: 12; sid: 2009000325; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrypKey v5 - v6]"; flow: established,to_client; content: "|E8|"; content: "|5883E805505F578BF781EF|"; distance: 4; within: 15; content: "|83C639BA|"; distance: 4; within: 8; content: "|8BDFB90B|"; distance: 4; within: 8; content: "|8B06|"; distance: 3; within: 5; sid: 2009000326; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrypKey V56X - Kenonic Controls Ltd]"; flow: established,to_client; content: "|E8|"; content: "|E8|"; distance: 4; within: 5; content: "|83F80075076A00E8|"; distance: 4; within: 12; sid: 2009000327; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrypKey V56X DLL - Kenonic Controls Ltd]"; flow: established,to_client; content: "|8B1D|"; content: "|83FB00750AE8|"; distance: 4; within: 10; content: "|E8|"; distance: 4; within: 5; sid: 2009000328; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrypKey V61X DLL - CrypKey (Canada) Inc]"; flow: established,to_client; content: "|833D|"; content: "|00753468|"; distance: 4; within: 8; content: "|E8|"; distance: 4; within: 5; sid: 2009000329; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CRYPT Version 17 (c) Dismember]"; flow: established,to_client; content: "|0E179C58F6|"; content: "|74|"; distance: 2; within: 3; content: "|E9|"; distance: 1; within: 2; sid: 2009000330; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Cryptic 20 - Tughack]"; flow: established,to_client; content: "|B800004000BB|"; content: "|00B900100000BA|"; distance: 3; within: 10; content: "|0003D803C803D13BCA74068031|"; distance: 3; within: 16; content: "|41EBF6FFE3|"; distance: 1; within: 6; sid: 2009000331; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crypto-Lock v202 (Eng) - Ryan Thian]"; flow: established,to_client; content: "|60BE159040008DBEEB7FFFFF5783CDFFEB109090909090908A0646880747|"; sid: 2009000332; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crypto-Lock v202 (Eng) - Ryan Thian]"; flow: established,to_client; content: "|60BE159040008DBEEB7FFFFF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0|"; sid: 2009000333; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Crypto-Lock v202 (Eng) - Ryan Thian]"; flow: established,to_client; content: "|60BE|"; content: "|9040008DBE|"; distance: 1; within: 6; content: "|FFFF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0|"; distance: 2; within: 77; sid: 2009000334; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CRYPToCRACks PE Protector V092 - Lukas Fleischer]"; flow: established,to_client; content: "|E801000000E8585B81E300FFFFFF66813B4D5A753784DB75338BF303|"; content: "|813E504500007526|"; distance: 2; within: 10; sid: 2009000335; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CRYPToCRACks PE Protector V093 - Lukas Fleischer]"; flow: established,to_client; content: "|5B81E300FFFFFF66813B4D5A75338BF303733C813E5045000075260FB746188BC869C0AD0B0000F7E02DAB5D414B69C9DEC0000003C1|"; sid: 2009000336; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CrypWrap vxx]"; flow: established,to_client; content: "|E8B8|"; content: "|E89002|"; distance: 3; within: 6; content: "|83F8|"; distance: 2; within: 4; content: "|75076A|"; distance: 1; within: 4; content: "|E8|"; distance: 1; within: 2; content: "|FF15498F40|"; distance: 4; within: 9; content: "|A9|"; distance: 1; within: 2; content: "|80740E|"; distance: 3; within: 6; sid: 2009000337; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Cygwin32]"; flow: established,to_client; content: "|5589E583EC04833D|"; sid: 2009000338; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DAEMON Protect v067]"; flow: established,to_client; content: "|60609C8CC932C9E30C520F014C24FE5A83C20C8B1A9D61|"; sid: 2009000339; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DalKrypt 10 - by DalKiT]"; flow: established,to_client; content: "|68001040005868|"; content: "|005F33DBEB0D8A140380EA0780F2048814034381FB|"; distance: 3; within: 24; content: "|0072EBFFE7|"; distance: 3; within: 8; sid: 2009000340; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DBPE v153]"; flow: established,to_client; content: "|9C5557565251539CFAE8|"; content: "|5D81ED5B5340|"; distance: 4; within: 10; content: "|B0|"; distance: 1; within: 2; content: "|E8|"; distance: 1; within: 2; content: "|5E83C611B927|"; distance: 4; within: 10; content: "|3006464975FA|"; distance: 3; within: 9; sid: 2009000341; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DBPE v210]"; flow: established,to_client; content: "|9C6A10730BEB02C151E806|"; content: "|C41173F75BCD83C404EB0299EBFF0C247101E879E07A017583C4049DEB0175685F2040|"; distance: 3; within: 38; content: "|E8B0EFFFFF7203730175BE|"; distance: 1; within: 12; sid: 2009000342; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DBPE v210 - Ding Boy]"; flow: established,to_client; content: "|EB20|"; content: "|9C5557565251539CE8|"; distance: 32; within: 41; content: "|5D81ED|"; distance: 4; within: 7; content: "|EB587573657233322E646C6C|"; distance: 4; within: 16; content: "|4D657373616765426F7841|"; distance: 1; within: 12; content: "|6B65726E656C|"; distance: 1; within: 7; sid: 2009000343; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DBPE v233 - Ding Boy]"; flow: established,to_client; content: "|EB20|"; content: "|40|"; distance: 2; within: 3; content: "|9C5557565251539CE8|"; distance: 29; within: 38; content: "|5D81ED|"; distance: 4; within: 7; content: "|9C6A10730BEB02C151E806|"; distance: 4; within: 15; content: "|C41173F75BCD83C404EB0299EBFF0C2471|"; distance: 3; within: 20; sid: 2009000344; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DBPE vxxx - Ding Boy]"; flow: established,to_client; content: "|EB20|"; content: "|40|"; distance: 2; within: 3; content: "|9C5557565251539CE8|"; distance: 29; within: 38; content: "|5D81ED|"; distance: 4; within: 7; sid: 2009000345; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DCrypt Private 09b - drmist]"; flow: established,to_client; content: "|B9|"; content: "|00E8000000005868|"; distance: 3; within: 11; content: "|0083E80B0F1800D00048E2FBC3|"; distance: 3; within: 16; sid: 2009000346; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DEF 10 - bartxt]"; flow: established,to_client; content: "|BE|"; content: "|40006A|"; distance: 2; within: 5; content: "|59807E070074118B460C05000040008B56103010404A75FA83C628E2E468|"; distance: 1; within: 31; content: "|4000C300000000000000000000000000000000000000000000000000000000000000000000000000000000000000|"; distance: 2; within: 48; sid: 2009000347; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DEF v10]"; flow: established,to_client; content: "|BE|"; content: "|0140006A0559807E070074118B46|"; distance: 1; within: 15; sid: 2009000348; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DEF v100 (Eng) - bartxt]"; flow: established,to_client; content: "|BE|"; content: "|0140006A|"; distance: 1; within: 5; content: "|59807E070074118B460C05000040008B56103010404A75FA83C628E2E468|"; distance: 1; within: 31; content: "|4000C300000000000000000000000000000000000000000000000000000000000000000000000000000000000000|"; distance: 2; within: 48; sid: 2009000349; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[dePACK - deNULL]"; flow: established,to_client; content: "|EB01DD606800|"; content: "|68|"; distance: 3; within: 4; content: "|0000E8|"; distance: 2; within: 5; content: "|000000|"; distance: 1; within: 4; sid: 2009000350; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[dePACK - deNULL]"; flow: established,to_client; content: "|EB01DD606800|"; content: "|68|"; distance: 3; within: 4; content: "|00E8|"; distance: 3; within: 5; content: "|000000|"; distance: 1; within: 4; content: "|D2|"; distance: 128; within: 129; sid: 2009000351; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Dev-C 4992 - Bloodshed Software]"; flow: established,to_client; content: "|5589E583EC08C7042401000000FF15|"; content: "|00E8C8FEFFFF908DB426000000005589E583EC08C7042402000000FF15|"; distance: 3; within: 32; content: "|00E8A8FEFFFF908DB42600000000558B0D|"; distance: 3; within: 20; content: "|0089E55DFFE18D742600558B0D|"; distance: 3; within: 16; sid: 2009000352; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIET v100 v100d]"; flow: established,to_client; content: "|BF|"; content: "|3BFC72|"; distance: 2; within: 5; content: "|B44CCD21BE|"; distance: 1; within: 6; content: "|B9|"; distance: 2; within: 3; content: "|FDF3A5FC|"; distance: 2; within: 6; sid: 2009000353; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIET v100d]"; flow: established,to_client; content: "|FC061E0E8CC801|"; content: "|BA|"; distance: 3; within: 4; content: "|03|"; distance: 2; within: 3; content: "|00000000|"; distance: 14; within: 18; sid: 2009000354; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIET v102b v110a v120]"; flow: established,to_client; content: "|BE|"; content: "|BF|"; distance: 2; within: 3; content: "|B9|"; distance: 2; within: 3; content: "|3BFC72|"; distance: 2; within: 5; content: "|B44CCD21FDF3A5FC|"; distance: 1; within: 9; sid: 2009000355; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DIET v144 v145f]"; flow: established,to_client; content: "|F89C061E5756525153500EFC8CC8BA|"; content: "|03D052|"; distance: 2; within: 5; sid: 2009000356; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Ding Boys PE-lock Phantasm v08]"; flow: established,to_client; content: "|555756525153E8000000005D8BD581ED0D394000|"; sid: 2009000357; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Ding Boys PE-lock Phantasm v10 v11]"; flow: established,to_client; content: "|5557565251536681C3EB02EBFC6681C3EB02EBFC|"; sid: 2009000358; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Ding Boys PE-lock Phantasm v15b3]"; flow: established,to_client; content: "|9C5557565251539CFAE8000000005D81ED5B534000B0|"; sid: 2009000359; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Ding Boys PE-lock v007]"; flow: established,to_client; content: "|555756525153E8000000005D8BD581ED23354000|"; sid: 2009000360; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[diPacker V1X - diProtector Software]"; flow: established,to_client; content: "|0F002DE90100A0E3680100EB8C0000EB2B0000EB000020E01C108FE28E208FE20030A0E3670100EB0F00BDE800C08FE200F09CE5|"; sid: 2009000361; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[diProtector V1X - diProtector Software]"; flow: established,to_client; content: "|0100A0E3140000EB000020E044109FE5032AA0E34030A0E3AE0000EB30008FE50020A0E13A0E8FE2000080E21C109FE520308FE20E0000EB14009FE514109FE57F20A0E3C50000EB04C08FE200F09CE5|"; sid: 2009000362; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DJoin v07 public (RC4 encryption) - drmist]"; flow: established,to_client; content: "|C605|"; content: "|400000C605|"; distance: 2; within: 7; content: "|400000|"; distance: 2; within: 5; content: "|00|"; distance: 8; within: 9; content: "|00|"; distance: 4; within: 5; content: "|00|"; distance: 5; within: 6; sid: 2009000363; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DJoin v07 public (xor encryption) - drmist]"; flow: established,to_client; content: "|C605|"; content: "|400000|"; distance: 2; within: 5; content: "|00|"; distance: 8; within: 9; content: "|00|"; distance: 4; within: 5; content: "|00|"; distance: 5; within: 6; sid: 2009000364; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DotFix NiceProtect vna]"; flow: established,to_client; content: "|60E8550000008DBD0010400068|"; content: "|00033C248BF79068311040009BDBE355DB04248BC7DB442404DEC1DB1C248B1C2466AD51DB04249090DA8D77104000DB1C24D1E129|"; distance: 3; within: 56; sid: 2009000365; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DrWeb Virus-Finding Engine - InSoft EDV-Systeme]"; flow: established,to_client; content: "|B801000000C20C008D80000000008BD28B|"; content: "|2404|"; distance: 1; within: 3; sid: 2009000366; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DSHIELD]"; flow: established,to_client; content: "|06E8|"; content: "|5E83EE|"; distance: 2; within: 5; content: "|16179C58B9|"; distance: 1; within: 6; content: "|25|"; distance: 2; within: 3; content: "|2E|"; distance: 2; within: 3; sid: 2009000367; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Duals eXe 10]"; flow: established,to_client; content: "|558BEC81EC00050000E8000000005D81ED0E0000008D8508030000892833FF8D857D0200008D8D080300002BC88B9D58030000E81C0200008D9D610200008DB57C02000046803E00742456FF950A04000046803E00|"; sid: 2009000368; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Duals eXe Encryptor 10b - Dual]"; flow: established,to_client; content: "|558BEC81EC00050000E8000000005D81ED0E0000008D853A040000892833FF8D85800300008D8D3A0400002BC88B9D8A040000E8240200008D9D580300008DB57F03000046803E00742456FF955805000046803E0075FA46803E0074E7505650FF955C05000089035883C304EBE38D8569020000FFD08D855604000050681F0002006A008D857A04000050|"; sid: 2009000369; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[dUP2 - diablo2oo2]"; flow: established,to_client; content: "|E8|"; content: "|E8|"; distance: 4; within: 5; content: "|8BF06A0068|"; distance: 4; within: 9; content: "|56E8|"; distance: 4; within: 6; content: "|A2|"; distance: 4; within: 5; content: "|6A0068|"; distance: 4; within: 7; content: "|56E8|"; distance: 4; within: 6; content: "|A2|"; distance: 4; within: 5; content: "|6A0068|"; distance: 4; within: 7; content: "|56E8|"; distance: 4; within: 6; content: "|A2|"; distance: 4; within: 5; content: "|68|"; distance: 4; within: 5; content: "|68|"; distance: 4; within: 5; content: "|56E8|"; distance: 4; within: 6; content: "|3C017519BE|"; distance: 4; within: 9; content: "|68000200005668|"; distance: 4; within: 11; sid: 2009000370; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DxPack 10]"; flow: established,to_client; content: "|60E8|"; content: "|5D8BFD81ED|"; distance: 4; within: 9; content: "|2BB9|"; distance: 4; within: 6; content: "|81EF|"; distance: 4; within: 6; content: "|83BD|"; distance: 4; within: 6; content: "|0F84|"; distance: 5; within: 7; sid: 2009000371; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[DxPack V086 - Dxd]"; flow: established,to_client; content: "|60E8000000005D8BFD81ED061040002BBD9412400081EF0600000083BD14134000010F842F010000|"; sid: 2009000372; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[E language]"; flow: established,to_client; content: "|E80600000050E8|"; content: "|010000558BEC81C4F0FEFFFF|"; distance: 1; within: 13; sid: 2009000373; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EYouDiDai- YueHeiFengGao]"; flow: established,to_client; content: "|558BECB8|"; content: "|E8|"; distance: 4; within: 5; content: "|5356570F318BD80F318BD02BD3C1EA10B8|"; distance: 4; within: 21; content: "|0F6EC0B8|"; distance: 4; within: 8; content: "|0F6EC80FF5C10F7EC00F7703C2|"; distance: 4; within: 17; content: "|FFE0|"; distance: 5; within: 7; sid: 2009000374; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[E2C by DoP]"; flow: established,to_client; content: "|BE|"; content: "|BF|"; distance: 2; within: 3; content: "|B9|"; distance: 2; within: 3; content: "|FC57F3A5C3|"; distance: 2; within: 7; sid: 2009000375; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EEXE Version 112]"; flow: established,to_client; content: "|B430CD213C0373|"; content: "|BA1F000E1FB409CD21B8FF4CCD21|"; distance: 1; within: 15; sid: 2009000376; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Embed PE v113 - cyclotron]"; flow: established,to_client; content: "|83EC5060685DB9525AE82F990000DC99F3570568|"; sid: 2009000377; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EmbedPE 113 - cyclotron]"; flow: established,to_client; content: "|83EC5060685DB9525AE82F990000DC99F3570568B85E2DC6DAFD4863053C71B85E977C367E327C084F06516410A3F14ECF25CB80D2995446EDE1D346862D106893835C464D439B8CD67CBB996997712A2FA3386B33|"; sid: 2009000378; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EmbedPE v124 - cyclotron]"; flow: established,to_client; content: "|83EC506068|"; content: "|E8CBFF0000|"; distance: 4; within: 9; sid: 2009000379; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EmbedPE V1X - cyclotron]"; flow: established,to_client; content: "|83EC506068|"; content: "|E8|"; distance: 4; within: 5; content: "|0000|"; distance: 2; within: 4; sid: 2009000380; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EncryptPE 12003318-12003518 - WFS]"; flow: established,to_client; content: "|609C64FF3500000000E879010000000000000000000000000000|"; content: "|0000000000000000000000000000000000000000|"; distance: 8; within: 28; content: "|000000006B65726E656C33322E646C6C00000047657453797374656D4469726563746F72794100000043726561746546696C654100000043726561746546696C654D617070696E67410000004D6170566965774F6646696C65000000556E6D6170566965774F6646696C65000000436C6F736548616E646C650000004C6F61644C6962726172794100000047657450726F63416464726573730000004578697450726F63657373|"; distance: 36; within: 203; sid: 2009000381; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EncryptPE 12003518 - WFS]"; flow: established,to_client; content: "|609C64FF3500000000E879|"; sid: 2009000382; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EncryptPE 22004616-22006630 - WFS]"; flow: established,to_client; content: "|609C64FF3500000000E87A010000000000000000000000000000|"; content: "|0000000000000000000000000000000000000000|"; distance: 8; within: 28; content: "|000000006B65726E656C33322E646C6C00000047657453797374656D4469726563746F72794100000043726561746546696C654100000043726561746546696C654D617070696E67410000004D6170566965774F6646696C65000000556E6D6170566965774F6646696C65000000436C6F736548616E646C650000004C6F61644C6962726172794100000047657450726F63416464726573730000004578697450726F63657373|"; distance: 36; within: 203; sid: 2009000383; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EncryptPE 22004810 - 22005314 - WFS]"; flow: established,to_client; content: "|609C64FF3500000000E87A|"; sid: 2009000384; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EncryptPE 22006710-220061025 - WFS]"; flow: established,to_client; content: "|609C64FF3500000000E873010000000000000000000000000000|"; content: "|0000000000000000000000000000000000000000|"; distance: 8; within: 28; content: "|000000006B65726E656C33322E646C6C00000047657454656D70506174684100000043726561746546696C654100000043726561746546696C654D617070696E67410000004D6170566965774F6646696C65000000556E6D6170566965774F6646696C65000000436C6F736548616E646C650000004C6F61644C6962726172794100000047657450726F63416464726573730000004578697450726F63657373|"; distance: 36; within: 196; sid: 2009000385; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EncryptPE V22006710 - WFS]"; flow: established,to_client; content: "|609C64FF3500000000E873010000|"; sid: 2009000386; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EncryptPE V22006710 - WFS]"; flow: established,to_client; content: "|609C64FF3500000000E873010000000000000000000000000000|"; content: "|0000000000000000000000000000000000000000|"; distance: 8; within: 28; content: "|000000006B65726E656C33322E646C6C00000047657454656D70506174684100000043726561746546696C654100000043726561746546696C654D617070696E67410000004D6170566965774F6646696C65000000556E6D6170566965774F6646696C65000000436C6F736548616E646C650000004C6F61644C6962726172794100000047657450726F63416464726573730000004578697450726F6365737300000000|"; distance: 36; within: 200; sid: 2009000387; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EncryptPE V220070411 - WFS]"; flow: established,to_client; content: "|609C64FF3500000000E81B020000000000000000000000000000|"; content: "|0000000000000000000000000000000000000000|"; distance: 8; within: 28; content: "|000000006B65726E656C33322E646C6C00000047657454656D70506174684100000043726561746546696C654100000043726561746546696C654D617070696E67410000004D6170566965774F6646696C65000000556E6D6170566965774F6646696C65000000436C6F736548616E646C650000004C6F61644C6962726172794100000047657450726F63416464726573730000004578697450726F63657373|"; distance: 36; within: 196; sid: 2009000388; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EncryptPE V22007411 - WFS]"; flow: established,to_client; content: "|609C64FF3500000000E81B020000000000000000000000000000|"; content: "|0000000000000000000000000000000000000000|"; distance: 8; within: 28; content: "|000000006B65726E656C33322E646C6C00000047657454656D70506174684100000043726561746546696C654100000043726561746546696C654D617070696E67410000004D6170566965774F6646696C65000000556E6D6170566965774F6646696C65000000436C6F736548616E646C650000004C6F61644C6962726172794100000047657450726F63416464726573730000004578697450726F63657373000000000000|"; distance: 36; within: 202; sid: 2009000389; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Enigma Protector 131 Build 20070615 Dll - Sukhov Vladimir Serge N Markin]"; flow: established,to_client; content: "|60E8000000005D81ED0600000081ED|"; content: "|E949000000|"; distance: 4; within: 9; content: "|0000000000000000000000000000000000000000000000000000000000000000008A84242800000080F8010F8407000000B8|"; distance: 40; within: 90; content: "|FFE0E904000000|"; distance: 4; within: 11; content: "|B8|"; distance: 4; within: 5; content: "|03C581C0|"; distance: 4; within: 8; content: "|B9|"; distance: 4; within: 5; content: "|BA|"; distance: 4; within: 5; content: "|301040490F85F6FFFFFFE904000000|"; distance: 4; within: 19; sid: 2009000390; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ENIGMA Protector V11- Sukhov Vladimir]"; flow: established,to_client; content: "|60E8000000005D83|"; content: "|81|"; distance: 2; within: 3; sid: 2009000391; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ENIGMA Protector V11-V12- Sukhov Vladimir]"; flow: established,to_client; content: "|60E8000000005D83ED0681|"; sid: 2009000392; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Enigma Protector v112 LITE]"; flow: established,to_client; content: "|60E8000000005D83ED0681ED|"; content: "|00|"; distance: 3; within: 4; content: "|E8010000009A83C404EB02FF3560E8240000000000FFEB02CD208B44240C8380B80000000331|"; distance: 31; within: 69; sid: 2009000393; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ENIGMA Protector V112- Sukhov Vladimir]"; flow: established,to_client; content: "|60E8000000005D83C5FA81ED|"; content: "|00|"; distance: 3; within: 4; content: "|E8010000009A83C404EB02FF3560E8240000000000FFEB02CD208B44240C8380B80000000331|"; distance: 31; within: 69; sid: 2009000394; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EP v10]"; flow: established,to_client; content: "|5083C0178BF09733C033C9B124AC86C4ACAA86C4AAE2F600B8400003003C40D2338B661450708B8D3402448B1810487003BA0C|"; content: "|C033FE8B30AC30D0C1F010C2D030F030C2C1AA104242CAC1E2045FE95EB1|"; distance: 4; within: 34; sid: 2009000395; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EPW v12]"; flow: established,to_client; content: "|06571E5655525153502E|"; content: "|8CC005|"; distance: 4; within: 7; content: "|2E|"; distance: 2; within: 3; content: "|8ED8A1|"; distance: 3; within: 6; content: "|2E|"; distance: 2; within: 3; sid: 2009000396; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EPW v130]"; flow: established,to_client; content: "|06571E5655525153502E8C0608008CC083C0102E|"; sid: 2009000397; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Escargot 01 (final) - Meat]"; flow: established,to_client; content: "|EB0440302E31606861|"; content: "|64FF350000000064892500000000B892|"; distance: 3; within: 19; content: "|8B00FFD050B8CD|"; distance: 3; within: 10; content: "|8138DEC03713752D68C9|"; distance: 3; within: 13; content: "|6A406800|"; distance: 3; within: 7; content: "|0000680000|"; distance: 1; within: 6; content: "|B896|"; distance: 2; within: 4; content: "|8B00FFD08B4424F08B4C24F4EB0549C60401400BC975F7BE0010|"; distance: 3; within: 29; content: "|B900|"; distance: 2; within: 4; content: "|00EB0549803431400BC975F7580BC0740833C0C700DEC0AD0BBE|"; distance: 2; within: 28; content: "|E9AC0000008B460CBB0000|"; distance: 4; within: 15; content: "|03C35050|"; distance: 2; within: 6; sid: 2009000398; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Escargot V01 - Meat]"; flow: established,to_client; content: "|EB0440302E31606861|"; sid: 2009000399; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Excalibur 103 - forgot]"; flow: established,to_client; content: "|E90000000060E8140000005D81ED00000000|"; sid: 2009000400; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Excalibur V103 - forgot]"; flow: established,to_client; content: "|E90000000060E8140000005D81ED000000006A45E8A30000006800000000E85861EB39|"; sid: 2009000401; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXcalibur v103 - forgotus]"; flow: established,to_client; content: "|E90000000060E8140000005D81ED000000006A45E8A30000006800000000E85861EB3920457863616C696275722028632920627920666F72676F742F75532F44464347202020202020202020202020202020202020|"; sid: 2009000402; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Exe Guarder v18 - Exeiconcom]"; flow: established,to_client; content: "|558BEC83C4D05356578D75FC8B442430250000FFFF81384D5A900074072D00100000EBF18945FCE8C8FFFFFF2DB20400008945F48B068B403C03068B407803068BC88B512003168B5924031E895DF08B591C031E89|"; sid: 2009000403; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE joiner - Amok]"; flow: established,to_client; content: "|A114A14000C1E002A318A140|"; sid: 2009000404; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Exe Locker 10 - IonIce]"; flow: established,to_client; content: "|E800000000608B6C242081ED05000000|"; sid: 2009000405; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Exe Locker v10 -- IonIce]"; flow: established,to_client; content: "|E800000000608B6C242081ED050000003E8F856C0000003E8F85680000003E8F85640000003E8F85600000003E8F855C0000003E8F85580000003E8F85540000|"; sid: 2009000406; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Manager Version 30 1994 (c) Solar Designer]"; flow: established,to_client; content: "|B4301E06CD212E|"; content: "|BF|"; distance: 3; within: 4; content: "|B9|"; distance: 2; within: 3; content: "|33C02E|"; distance: 2; within: 5; content: "|47E2|"; distance: 2; within: 4; sid: 2009000407; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Packer v70 by TurboPower Software]"; flow: established,to_client; content: "|1E068CC383|"; content: "|2E|"; distance: 2; within: 3; content: "|B9|"; distance: 4; within: 5; content: "|8CC88ED88BF14E8BFE|"; distance: 2; within: 11; sid: 2009000408; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Shield v01b - v03b v03 - SMoKE]"; flow: established,to_client; content: "|E8040000008360EB0C5DEB05|"; sid: 2009000409; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Shield V05 - Smoke]"; flow: established,to_client; content: "|E8040000008360EB0C5DEB054555EB04B8EBF900C3E8000000005D81EDBC1A4000EB01008DB5461B4000BAB30A0000EB01008D8DF92540008B09E81400000083EB01008BFEE8000000005883C00750C300EB045840|"; sid: 2009000410; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Shield V05 - Smoke]"; flow: established,to_client; content: "|E8040000008360EB0C5DEB054555EB04B8EBF900C3E8000000005D81EDBC1A4000EB01008DB5461B4000BAB30A0000EB01008D8DF92540008B09E81400000083EB01008BFEE8000000005883C00750C300EB04584050C38A0646EB0100D0C8E81400000083EB01002AC2E8000000005B83C30753C300EB045B4353C3EB010032C2E80B0000000032C1EB0100C0C002EB092AC25BEB01004353C38807EB0100474A75B490|"; sid: 2009000411; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Shield V06 - SMoKE]"; flow: established,to_client; content: "|E8040000008360EB0C5DEB054555EB04B8EBF900C3E8000000005D81EDD41A4000EB01008DB55E1B4000BAA10B0000EB01008D8DFF2640008B09E81400000083EB01008BFEE8000000005883C00750C300EB045840|"; sid: 2009000412; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Shield V06 - SMoKE]"; flow: established,to_client; content: "|E8040000008360EB0C5DEB054555EB04B8EBF900C3E8000000005D81EDD41A4000EB01008DB55E1B4000BAA10B0000EB01008D8DFF2640008B09E81400000083EB01008BFEE8000000005883C00750C300EB04584050C38A0646EB0100D0C8E81400000083EB01002AC2E8000000005B83C30753C300EB045B4353C3EB010032C2E80B0000000032C1EB0100C0C002EB092AC25BEB01004353C38807EB0100474A75B490|"; sid: 2009000413; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Exe Shield v17]"; flow: established,to_client; content: "|EB0668901F0600C39C60E80200000033C08BC483C004938BE38B5BFC81EB3F90|"; sid: 2009000414; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Exe Shield v27]"; flow: established,to_client; content: "|EB0668F4860600C39C60E8020000|"; sid: 2009000415; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Exe Shield v27b]"; flow: established,to_client; content: "|EB066840850600C39C60E80200000033C08BC483C004938BE38B5BFC81EB3F90400087DD8B85E690400001853390400066C7853090400090900185DA9040000185DE9040000185E2904000BB7B110000039DEA9040|"; sid: 2009000416; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Exe Shield v29]"; flow: established,to_client; content: "|60E8000000005D81ED0B204000B9EB0800008DBD532040008BF7AC|"; content: "|F8|"; distance: 3; within: 4; sid: 2009000417; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Exe Shield vxx]"; flow: established,to_client; content: "|65786573686C2E646C6CC05D00|"; sid: 2009000418; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Exe Stealth 275a - WebtoolMaster]"; flow: established,to_client; content: "|EB585368617265776172652D56657273696F6E20457865537465616C74682C20636F6E7461637420737570706F727440776562746F6F6C6D61737465722E636F6D202D207777772E776562746F6F6C6D6173746572|"; sid: 2009000419; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Stealth v11]"; flow: established,to_client; content: "|60E8000000005D81EDFB1D4000B97B0900008BF7AC|"; sid: 2009000420; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Stealth v27]"; flow: established,to_client; content: "|EB0060EB00E8000000005D81EDD32640|"; sid: 2009000421; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Stealth v271]"; flow: established,to_client; content: "|EB0060EB00E8000000005D81EDB02740|"; sid: 2009000422; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Stealth v272]"; flow: established,to_client; content: "|EB00EB2F536861726577617265202D20|"; sid: 2009000423; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Stealth v274 - WebToolMaster]"; flow: established,to_client; content: "|EB00EB17|"; content: "|6090E8000000005D|"; distance: 23; within: 31; sid: 2009000424; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE Stealth v276 - WebToolMaster]"; flow: established,to_client; content: "|EB65457865537465616C7468205632202D207777772E776562746F6F6C6D61737465722E636F6D20594F55522041442048455245215069524143592069532041|"; sid: 2009000425; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE32Pack v136]"; flow: established,to_client; content: "|3BC074028183553BC074028183533BC97401BC|"; content: "|0281|"; distance: 4; within: 6; content: "|3BDB7401BE5D8BD581EDCC8D40|"; distance: 7; within: 20; sid: 2009000426; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE32Pack v137]"; flow: established,to_client; content: "|3BC074028183553BC074028183533BC97401BC|"; content: "|0281|"; distance: 4; within: 6; content: "|3BDB7401BE5D8BD581ED4C8E40|"; distance: 7; within: 20; sid: 2009000427; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE32Pack v138]"; flow: established,to_client; content: "|3BC074028183553BC074028183533BC97401BC|"; content: "|0281|"; distance: 4; within: 6; content: "|3BDB7401BE5D8BD581EDDC8D40|"; distance: 7; within: 20; sid: 2009000428; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE32Pack v139]"; flow: established,to_client; content: "|3BC074028183553BC074028183533BC97401BC|"; content: "|0281|"; distance: 4; within: 6; content: "|3BDB7401BE5D8BD581EDEC8D40|"; distance: 7; within: 20; sid: 2009000429; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXE32Pack v13x]"; flow: established,to_client; content: "|3B|"; content: "|74028183553B|"; distance: 1; within: 7; content: "|740281|"; distance: 1; within: 4; content: "|533B|"; distance: 1; within: 3; content: "|7401|"; distance: 1; within: 3; content: "|0281|"; distance: 5; within: 7; content: "|E8|"; distance: 2; within: 3; content: "|3B7401|"; distance: 4; within: 7; content: "|5D8BD581ED|"; distance: 1; within: 6; sid: 2009000430; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeBundle v30 (small loader)]"; flow: established,to_client; content: "|0000000060BE00F040008DBE0020FFFF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11|"; sid: 2009000431; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeBundle v30 (standard loader)]"; flow: established,to_client; content: "|0000000060BE00B042008DBE0060FDFFC787B0E40200313C4BDF5783CDFFEB0E909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB|"; sid: 2009000432; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECrypt 10 - ReBirth]"; flow: established,to_client; content: "|909060E8000000005D81EDD1274000B91500000083C10483C101EB05EBFE83C756EB00EB0083E90281C178432765EB0081C11025940081E963850000B9960C0000908DBD4E2840008BF7AC|"; sid: 2009000433; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor 224 - StrongbitSoftComplete Development (h1)]"; flow: established,to_client; content: "|E8F7FEFFFF05|"; content: "|0000FFE0E8EBFEFFFF05|"; distance: 2; within: 12; content: "|0000FFE0E804000000FFFFFFFF5EC3|"; distance: 2; within: 17; sid: 2009000434; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor 224 - StrongbitSoftComplete Development (h2)]"; flow: established,to_client; content: "|E8F7FEFFFF05|"; content: "|0000FFE0E8EBFEFFFF05|"; distance: 2; within: 12; content: "|0000FFE0E8|"; distance: 2; within: 7; content: "|000000|"; distance: 1; within: 4; sid: 2009000435; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor 226 (minimum protection)]"; flow: established,to_client; content: "|5068|"; content: "|5881E0|"; distance: 4; within: 7; content: "|E9|"; distance: 4; within: 5; content: "|00870C2459E8|"; distance: 3; within: 9; content: "|008945F8E9|"; distance: 3; within: 8; content: "|0F83|"; distance: 4; within: 6; content: "|00E9|"; distance: 3; within: 5; content: "|8714245A5768|"; distance: 4; within: 10; content: "|E9|"; distance: 4; within: 5; content: "|5881C0|"; distance: 4; within: 7; content: "|2B05|"; distance: 4; within: 6; content: "|81C8|"; distance: 4; within: 6; content: "|81E0|"; distance: 4; within: 6; content: "|E9|"; distance: 4; within: 5; content: "|00C3E9|"; distance: 3; within: 6; content: "|C3BF|"; distance: 4; within: 6; content: "|81CB|"; distance: 4; within: 6; content: "|BA|"; distance: 4; within: 5; content: "|52E9|"; distance: 4; within: 6; content: "|00E8|"; distance: 3; within: 5; content: "|00E9|"; distance: 3; within: 5; content: "|00E9|"; distance: 3; within: 5; content: "|8734245E668B006625|"; distance: 4; within: 13; content: "|E9|"; distance: 2; within: 3; content: "|8BCD870C248BEC5189EC5D8B05|"; distance: 4; within: 17; content: "|09C0E9|"; distance: 4; within: 7; content: "|5981C1|"; distance: 4; within: 7; content: "|C1C1|"; distance: 4; within: 6; content: "|230D|"; distance: 1; within: 3; content: "|81F9|"; distance: 4; within: 6; content: "|E9|"; distance: 4; within: 5; content: "|C3E9|"; distance: 4; within: 6; content: "|0013D00BF9E9|"; distance: 3; within: 9; content: "|51E8|"; distance: 4; within: 6; content: "|8B64240831C0648F05000000005AE9|"; distance: 4; within: 19; content: "|3CA40F85|"; distance: 4; within: 8; content: "|008B45FC668138|"; distance: 3; within: 10; content: "|0F8405000000E9|"; distance: 2; within: 9; content: "|0F84|"; distance: 4; within: 6; content: "|E9|"; distance: 4; within: 5; content: "|873C245F31DB31C931D268|"; distance: 4; within: 15; content: "|E9|"; distance: 4; within: 5; content: "|8945FC33C08945F4837DFC00E9|"; distance: 4; within: 17; content: "|53528BD187142481C0|"; distance: 4; within: 13; content: "|0F88|"; distance: 4; within: 6; content: "|3BCB|"; distance: 4; within: 6; sid: 2009000436; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor 226 DLL (minimum protection)]"; flow: established,to_client; content: "|508BC687042468|"; content: "|5EE9|"; distance: 4; within: 6; content: "|85C8E9|"; distance: 4; within: 7; content: "|81C3|"; distance: 4; within: 6; content: "|0F81|"; distance: 4; within: 6; content: "|0081FA|"; distance: 3; within: 6; content: "|33D0E9|"; distance: 4; within: 7; content: "|000F8D|"; distance: 3; within: 6; content: "|0081D5|"; distance: 3; within: 6; content: "|F7D10B15|"; distance: 4; within: 8; content: "|C1C2|"; distance: 4; within: 6; content: "|81C2|"; distance: 1; within: 3; content: "|9DE9|"; distance: 4; within: 6; content: "|C1E2|"; distance: 4; within: 6; content: "|C1E8|"; distance: 1; within: 3; content: "|81EA|"; distance: 1; within: 3; content: "|13DA81E9|"; distance: 4; within: 8; content: "|8704248BC8E9|"; distance: 4; within: 10; content: "|558BEC83C4F88945FC8B45FC8945F88B4508E9|"; distance: 4; within: 23; content: "|8B45E0C60000FF45E4E9|"; distance: 4; within: 14; content: "|FF45E4E9|"; distance: 4; within: 8; content: "|00F7D30F81|"; distance: 3; within: 8; content: "|E9|"; distance: 4; within: 5; content: "|8734245E8B45F4E8|"; distance: 4; within: 12; content: "|008B45F48BE55DC3E9|"; distance: 3; within: 12; sid: 2009000437; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor 239 (compressed resources)]"; flow: established,to_client; content: "|5168|"; content: "|5981F1123CCB98E9532C0000F7D7E9EB6000008345F802E9E3360000F645F8200F841E21000055E980620000870C248BE9|"; distance: 4; within: 53; content: "|000023C181E9|"; distance: 4; within: 10; content: "|57E9ED0000000F88|"; distance: 4; within: 12; content: "|E92C0D000081EDBB43CB79C1E01CE99E1400000B15|"; distance: 4; within: 25; content: "|81E22A707F4981C29D83123BE80C500000E9A0160000595BC364FF350000000064892500000000E841420000E99333000031DB89D8595BC3A1|"; distance: 4; within: 61; content: "|8A002C99E9823000000F8A|"; distance: 4; within: 15; content: "|B80100000031D20FA225FF0F0000E9722100000F86570B0000E9|"; distance: 4; within: 30; content: "|C1C003E8F0360000E9410A000081F7B36E85EA81C7|"; distance: 4; within: 25; content: "|873C24E9745200000F8E|"; distance: 4; within: 14; content: "|E85E37000068B17496135AE9A104000081D149C01227E9504E0000C1C81B1BC381E19636E5|"; distance: 4; within: 41; sid: 2009000438; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor 239 (minimum protection)]"; flow: established,to_client; content: "|68|"; content: "|E9|"; distance: 4; within: 5; content: "|FF50C1C8188905|"; distance: 3; within: 10; content: "|C3C1C01851E9|"; distance: 4; within: 10; content: "|FF84C00F846AF9FFFFE9|"; distance: 3; within: 13; content: "|FFC3E9|"; distance: 3; within: 6; content: "|FFE8CFE9FFFFB801000000E9|"; distance: 3; within: 15; content: "|FF2BD068A03680D45981C96498FF99E9|"; distance: 3; within: 19; content: "|FF84C00F848EECFFFFE9|"; distance: 3; within: 13; content: "|FFC3873C245F8B000345FC83C018E9|"; distance: 3; within: 18; content: "|FF870C2459B801000000D3E023D0E9021800000F8DDB000000C1E814E9CA0000009D870C2459871C2468AE73B996E9C51000000F8A|"; distance: 3; within: 56; content: "|E9|"; distance: 4; within: 5; content: "|FF81FDF5FF8F07E94F100000C3E95E120000873C24E9|"; distance: 3; within: 25; content: "|FFE8|"; distance: 3; within: 5; content: "|FF833D|"; distance: 3; within: 6; content: "|000F85|"; distance: 4; within: 7; content: "|8D55ECB8|"; distance: 4; within: 8; content: "|E9|"; distance: 4; within: 5; content: "|FFE8A71A0000E82ACBFFFFE9|"; distance: 3; within: 15; content: "|FFC3E9|"; distance: 3; within: 6; content: "|FF598945E0|"; distance: 3; within: 8; sid: 2009000439; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor 239 DLL (compressed resources)]"; flow: established,to_client; content: "|5068|"; content: "|58C1C00FE9|"; distance: 4; within: 9; content: "|00870424588945FCE9|"; distance: 3; within: 12; content: "|FFFF05|"; distance: 3; within: 6; content: "|E9|"; distance: 4; within: 5; content: "|00C1C318E9|"; distance: 3; within: 8; content: "|8B55080942F8E9|"; distance: 4; within: 11; content: "|FF837DF0010F85|"; distance: 3; within: 10; content: "|E9|"; distance: 4; within: 5; content: "|008734245E8B45FC33D2568BF2E9|"; distance: 3; within: 17; content: "|00BA|"; distance: 3; within: 5; content: "|E8|"; distance: 4; within: 5; content: "|00A3|"; distance: 3; within: 5; content: "|C3E9|"; distance: 4; within: 6; content: "|00C383C404C3E9|"; distance: 3; within: 10; content: "|FF64FF350000000064892500000000E8|"; distance: 3; within: 19; content: "|00E9|"; distance: 3; within: 5; content: "|FFC1C20381CA|"; distance: 3; within: 9; content: "|81C2|"; distance: 4; within: 6; content: "|03C25AE9|"; distance: 4; within: 8; content: "|FF81E7|"; distance: 3; within: 6; content: "|81EF|"; distance: 4; within: 6; content: "|81C7|"; distance: 4; within: 6; content: "|8907E9|"; distance: 4; within: 7; content: "|0F89|"; distance: 4; within: 6; content: "|8714245A50C1C810|"; distance: 4; within: 12; sid: 2009000440; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor 239 DLL (minimum protection)]"; flow: established,to_client; content: "|5168|"; content: "|872C248BCD5D81E1|"; distance: 4; within: 12; content: "|E9|"; distance: 4; within: 5; content: "|008945F85168|"; distance: 3; within: 9; content: "|5981F1|"; distance: 4; within: 7; content: "|0B0D|"; distance: 4; within: 6; content: "|81E9|"; distance: 4; within: 6; content: "|E9|"; distance: 4; within: 5; content: "|0081C2|"; distance: 3; within: 6; content: "|E8|"; distance: 4; within: 5; content: "|00870C245951648B05300000008B400C8B400CE9|"; distance: 3; within: 23; content: "|00F7D62BD5E9|"; distance: 3; within: 9; content: "|00873C248BCF5F8714241BCAE9|"; distance: 3; within: 16; content: "|0083C40868|"; distance: 3; within: 8; content: "|E9|"; distance: 4; within: 5; content: "|00C3E9|"; distance: 3; within: 6; content: "|00E9|"; distance: 3; within: 5; content: "|00508BC58704248BEC510F88|"; distance: 3; within: 15; content: "|00FF05|"; distance: 3; within: 6; content: "|E9|"; distance: 4; within: 5; content: "|00870C245999030424E9|"; distance: 3; within: 13; content: "|00C381D5|"; distance: 3; within: 7; content: "|9CE9|"; distance: 4; within: 6; content: "|0081FA|"; distance: 3; within: 6; content: "|E9|"; distance: 4; within: 5; content: "|00C1C31581CB|"; distance: 3; within: 9; content: "|81F3|"; distance: 4; within: 6; content: "|81C3|"; distance: 4; within: 6; content: "|87|"; distance: 4; within: 5; sid: 2009000441; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor v13045]"; flow: established,to_client; content: "|E8240000008B4C240CC70117000100C781|"; content: "|31C089411489411880A1|"; distance: 7; within: 17; sid: 2009000442; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor v13045]"; flow: established,to_client; content: "|E824|"; content: "|8B4C240CC70117|"; distance: 3; within: 10; content: "|01|"; distance: 1; within: 2; content: "|C781|"; distance: 1; within: 3; content: "|31C089411489411880A1|"; distance: 7; within: 17; sid: 2009000443; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor v1401]"; flow: established,to_client; content: "|E8240000008B4C240CC70117000100C781B800000000|"; content: "|0031C089411489411880|"; distance: 2; within: 12; sid: 2009000444; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor v151x]"; flow: established,to_client; content: "|E824|"; content: "|8B4C240CC70117|"; distance: 3; within: 10; content: "|01|"; distance: 1; within: 2; content: "|C781B8|"; distance: 1; within: 4; content: "|31C089411489411880A1C1|"; distance: 7; within: 18; content: "|FEC331C064FF30648920CCC3|"; distance: 3; within: 15; sid: 2009000445; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor V21X - softcompletecom]"; flow: established,to_client; content: "|E9|"; content: "|669C60508D88|"; distance: 4; within: 10; content: "|8D900416|"; distance: 4; within: 8; content: "|8BDC8BE1|"; distance: 2; within: 6; sid: 2009000446; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXECryptor vxxxx]"; flow: established,to_client; content: "|E824|"; content: "|8B4C240CC70117|"; distance: 3; within: 10; content: "|01|"; distance: 1; within: 2; content: "|C781B8|"; distance: 1; within: 4; content: "|31C08941|"; distance: 7; within: 11; sid: 2009000447; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeJoiner 10 - Yoda]"; flow: established,to_client; content: "|68001040006804010000E8390300000500104000C6005C680401000068041140006A00E81A0300006A0068800000006A036A006A0168000000806804114000E8EC02000083F8FF0F8483020000A3081240006A0050E8E202000083F8FF0F846D020000A30C1240008BD883EB046A006A0053FF3508124000E8E30200006A00683C1240006A04681E124000FF3508124000E8C402000083EB046A006A0053FF3508124000|"; sid: 2009000448; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeJoiner 10 - Yoda f2f]"; flow: established,to_client; content: "|68001040006804010000E8390300000500104000C6005C680401000068041140006A00E81A0300006A0068800000006A036A006A0168000000806804114000E8EC02000083F8FF0F8483020000A3081240006A0050|"; sid: 2009000449; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXEJoiner v10]"; flow: established,to_client; content: "|68001040006804010000E83903000005001040C6005C68|"; content: "|68|"; distance: 4; within: 5; content: "|6A00E8|"; distance: 4; within: 7; sid: 2009000450; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeJoiner V10 - Yoda f2f]"; flow: established,to_client; content: "|68001040006804010000E8390300000500104000C6005C6804010000|"; sid: 2009000451; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXELOCK 666 15]"; flow: established,to_client; content: "|BA|"; content: "|BF|"; distance: 2; within: 3; content: "|EB|"; distance: 2; within: 3; content: "|EA|"; distance: 1; within: 2; content: "|79|"; distance: 4; within: 5; content: "|7F|"; distance: 1; within: 2; content: "|7E|"; distance: 1; within: 2; content: "|1C|"; distance: 1; within: 2; content: "|4878|"; distance: 1; within: 3; content: "|E3|"; distance: 1; within: 2; content: "|4514|"; distance: 1; within: 3; content: "|5AE9|"; distance: 1; within: 3; sid: 2009000452; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeLock v100]"; flow: established,to_client; content: "|068CC88EC0BE|"; content: "|26|"; distance: 2; within: 3; content: "|34|"; distance: 2; within: 3; content: "|26|"; distance: 1; within: 2; content: "|4681|"; distance: 2; within: 4; content: "|75|"; distance: 3; within: 4; content: "|40B3|"; distance: 1; within: 3; content: "|B3|"; distance: 1; within: 2; content: "|F3|"; distance: 1; within: 2; sid: 2009000453; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXEPACK (LINK) v360 v364 v365 or 50121]"; flow: established,to_client; content: "|8CC005|"; content: "|0E1FA3|"; distance: 2; within: 5; content: "|03|"; distance: 2; within: 3; content: "|8EC08B|"; distance: 3; within: 6; content: "|8B|"; distance: 3; within: 4; content: "|4F8BF7FDF3A450B8|"; distance: 1; within: 9; content: "|50CB|"; distance: 2; within: 4; sid: 2009000454; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXEPACK v405 v406]"; flow: established,to_client; content: "|8CC005|"; content: "|0E1FA3|"; distance: 2; within: 5; content: "|0306|"; distance: 2; within: 4; content: "|8EC08B0E|"; distance: 2; within: 6; content: "|8BF94F8BF7FDF3A4|"; distance: 2; within: 10; sid: 2009000455; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXERefactor V01 - random]"; flow: established,to_client; content: "|558BEC81EC900B0000535657E9588C01005553434154494F4E|"; sid: 2009000456; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeShield 36 - wwwexeshieldcom]"; flow: established,to_client; content: "|B8|"; content: "|005064FF35000000006489250000000033C089085045436F6D706163743200CE1E42AFF8D6CCE9FBC84F1B227CB4C80DBD71A9C81F5FB1298F11738F00D18887A93F4D006C3CBFC080F7AD3523EB84826F|"; distance: 3; within: 84; sid: 2009000457; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeShield Cryptor 13RC - Tom Commander]"; flow: established,to_client; content: "|558BEC53565760E8000000005D81ED8C214000B9512D400081E9E62140008BD581C2E62140008D3A8BF733C0EB0490EB01C2AC|"; sid: 2009000458; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeShield Protector V36 - wwwexeshieldcom]"; flow: established,to_client; content: "|B8|"; content: "|005064FF35000000006489250000000033C089085045436F6D706163743200CE1E42AFF8D6CC|"; distance: 3; within: 41; sid: 2009000459; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeSmasher vxx]"; flow: established,to_client; content: "|9CFE03|"; content: "|60BE|"; distance: 1; within: 3; content: "|41|"; distance: 2; within: 3; content: "|8DBE|"; distance: 1; within: 3; content: "|10FFFF5783CDFFEB10|"; distance: 1; within: 10; sid: 2009000460; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeSplitter 13 (Split Method) - Bill Prisoner TPOC]"; flow: established,to_client; content: "|E9FE010000|"; content: "|000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000073766345723031312E746D7000000000000000000064A1300000008B400C8B400C8B0085C00F845F0200008B483080396B740780394B7402EBE780790C337402EBDF8B4018C3|"; distance: 7; within: 166; sid: 2009000461; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeSplitter 13 (SplitCrypt Method) - Bill Prisoner TPOC]"; flow: established,to_client; content: "|E8000000005D81ED05104000B9|"; content: "|8D851D10400080306640E2FA8F98676666|"; distance: 4; within: 21; content: "|66|"; distance: 7; within: 8; sid: 2009000462; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EXEStealth 275 - WebtoolMaster]"; flow: established,to_client; content: "|906090E8000000005D81EDD1274000B915000000|"; sid: 2009000463; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeTools COM2EXE]"; flow: established,to_client; content: "|E8|"; content: "|5D83ED|"; distance: 2; within: 5; content: "|8CDA2E8996|"; distance: 1; within: 6; content: "|83C2|"; distance: 2; within: 4; content: "|8EDA8EC22E0196|"; distance: 1; within: 8; content: "|60|"; distance: 2; within: 3; sid: 2009000464; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ExeTools v21 Encruptor by DISMEMBER]"; flow: established,to_client; content: "|E8|"; content: "|5D83|"; distance: 2; within: 4; content: "|1E8CDA83|"; distance: 2; within: 6; content: "|8EDA8EC2BB|"; distance: 2; within: 7; content: "|BA|"; distance: 2; within: 3; content: "|85D274|"; distance: 2; within: 5; sid: 2009000465; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor 11 - CGSoftLabs]"; flow: established,to_client; content: "|E9|"; content: "|0000E9|"; distance: 2; within: 5; content: "|0000E9|"; distance: 2; within: 5; content: "|120000E9|"; distance: 1; within: 5; content: "|0C0000E9|"; distance: 1; within: 5; content: "|0000E9|"; distance: 2; within: 5; content: "|0000E9|"; distance: 2; within: 5; content: "|0000|"; distance: 2; within: 4; sid: 2009000466; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor 12 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC81ECD4010000535657EB0C457850722D762E312E322E2E|"; sid: 2009000467; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor 120 Beta PE Packer]"; flow: established,to_client; content: "|558BEC81EC|"; content: "|535657EB|"; distance: 4; within: 8; content: "|457850722D762E312E322E2E|"; distance: 1; within: 13; sid: 2009000468; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor V10 - CGSoftLabs]"; flow: established,to_client; content: "|E935140000E931130000E998120000E9EF0C0000E942130000E9E9020000E9EF0B0000E91B0D0000|"; sid: 2009000469; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXpressor v11 - CGSoftLabs]"; flow: established,to_client; content: "|E915130000E9F0120000E958120000E9AF0C0000E9AE020000E9B40B0000E9E00C0000|"; sid: 2009000470; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXpressor v12 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC81ECD4010000535657EB0C457850722D76|"; sid: 2009000471; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor v12 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC81ECD4010000535657EB0C457850722D762E312E322E2EB8|"; content: "|2B0584|"; distance: 4; within: 7; content: "|A3|"; distance: 3; within: 4; content: "|833D|"; distance: 4; within: 6; content: "|007416A1|"; distance: 4; within: 8; content: "|030580|"; distance: 4; within: 7; content: "|898554FEFFFFE9|"; distance: 3; within: 10; content: "|070000C705|"; distance: 1; within: 6; content: "|010000006804|"; distance: 4; within: 10; sid: 2009000472; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor v12 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC81ECD4010000535657EB0C457850722D762E312E322E2EB8|"; content: "|2B0584|"; distance: 4; within: 7; content: "|A3|"; distance: 3; within: 4; content: "|833D|"; distance: 4; within: 6; content: "|007416A1|"; distance: 4; within: 8; content: "|030580|"; distance: 4; within: 7; content: "|898554FEFFFFE9|"; distance: 3; within: 10; content: "|070000C705|"; distance: 1; within: 6; content: "|0100000068040100008D85F0FEFFFF506A00FF15|"; distance: 4; within: 24; sid: 2009000473; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor V13 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC83EC|"; content: "|535657EB0C45|"; distance: 1; within: 7; sid: 2009000474; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor v13 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC83EC|"; content: "|535657EB0C457850722D762E312E332E2EB8|"; distance: 1; within: 19; content: "|2B05|"; distance: 4; within: 6; content: "|A3|"; distance: 4; within: 5; content: "|833D|"; distance: 4; within: 6; content: "|007413A1|"; distance: 4; within: 8; content: "|0305|"; distance: 4; within: 6; content: "|89|"; distance: 4; within: 5; content: "|E9|"; distance: 2; within: 3; content: "|0000C705|"; distance: 2; within: 6; sid: 2009000475; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor v14 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC83EC|"; content: "|535657EB0C457850722D762E312E342E2EB8|"; distance: 1; within: 19; sid: 2009000476; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXpressor v145 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC83EC585356578365DC00F3EB0C|"; sid: 2009000477; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor V1451 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC83EC585356578365DC00F3EB0C655850722D762E312E342E00A100|"; content: "|000500|"; distance: 2; within: 5; content: "|00A308|"; distance: 2; within: 5; content: "|00A108|"; distance: 2; within: 5; content: "|00B981|"; distance: 2; within: 5; content: "|002B4818890D0C|"; distance: 2; within: 9; content: "|00833D|"; distance: 2; within: 5; sid: 2009000478; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor v1451 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC83EC585356578365DC00F3EB0C655850722D762E312E342E00A100|"; content: "|0500|"; distance: 3; within: 5; content: "|A308|"; distance: 3; within: 5; content: "|A108|"; distance: 3; within: 5; content: "|B981|"; distance: 3; within: 5; content: "|2B4818890D0C|"; distance: 3; within: 9; content: "|833D10|"; distance: 3; within: 6; content: "|007416A108|"; distance: 3; within: 8; content: "|8B0D0C|"; distance: 3; within: 6; content: "|034814|"; distance: 3; within: 6; sid: 2009000479; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressor v1451 - CGSoftLabs]"; flow: established,to_client; content: "|558BEC83EC585356578365DC00F3EB0C655850722D762E312E342E00A100|"; content: "|0500|"; distance: 3; within: 5; content: "|A308|"; distance: 3; within: 5; content: "|A108|"; distance: 3; within: 5; content: "|B981|"; distance: 3; within: 5; content: "|2B4818890D0C|"; distance: 3; within: 9; content: "|833D10|"; distance: 3; within: 6; content: "|007416A108|"; distance: 3; within: 8; content: "|8B0D0C|"; distance: 3; within: 6; content: "|034814894DCC|"; distance: 3; within: 9; sid: 2009000480; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[eXPressorPacK 150X - CGSoftLabs]"; flow: established,to_client; content: "|558BEC81EC|"; content: "|53565783A5|"; distance: 4; within: 9; content: "|F3EB0C655850722D762E312E352E00837D0C|"; distance: 5; within: 23; content: "|75238B4508A3|"; distance: 1; within: 7; content: "|6A04680010000068200300006A00FF15|"; distance: 4; within: 20; content: "|A3|"; distance: 4; within: 5; content: "|EB04|"; distance: 4; within: 6; sid: 2009000481; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[EZIP v10]"; flow: established,to_client; content: "|E919320000E97C2A0000E919240000E9FF230000E91E2E0000E9882E0000E92C|"; sid: 2009000482; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FACRYPT v10]"; flow: established,to_client; content: "|B9|"; content: "|B3|"; distance: 2; within: 3; content: "|33D2BE|"; distance: 1; within: 4; content: "|8BFEAC32C3AA494332E403D0E3|"; distance: 2; within: 15; sid: 2009000483; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Feokt]"; flow: established,to_client; content: "|8925A8114000BF|"; content: "|0031C0B9|"; distance: 3; within: 7; content: "|0029F9FCF3AA|"; distance: 3; within: 9; content: "|E8|"; distance: 61; within: 62; sid: 2009000484; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FileShield]"; flow: established,to_client; content: "|501EEB|"; content: "|9000008BD8|"; distance: 1; within: 6; sid: 2009000485; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Fish PE Shield 101 - HellFish]"; flow: established,to_client; content: "|60E812FEFFFFC390090000002C000000|"; content: "|C4030000BCA0000000400100|"; distance: 4; within: 16; content: "|0000000000000000000000000000000099000000008A0000001000002888000040|"; distance: 4; within: 37; content: "|4B00000002000000A000001801000040|"; distance: 1; within: 17; content: "|4C0000000C000000B00000380A000040|"; distance: 1; within: 17; content: "|4E00000000000000C000004039000040|"; distance: 1; within: 17; content: "|4E00000008000000000100C806000040|"; distance: 1; within: 17; sid: 2009000486; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Fish PE Shield 112116 - HellFish]"; flow: established,to_client; content: "|60E8EAFDFFFFFFD0C38D4000|"; content: "|0000002C000000|"; distance: 1; within: 8; content: "|00|"; distance: 3; within: 4; content: "|0000|"; distance: 2; within: 4; content: "|0000|"; distance: 3; within: 5; content: "|00|"; distance: 2; within: 3; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00000000|"; distance: 1; within: 5; content: "|00|"; distance: 2; within: 3; content: "|0000|"; distance: 2; within: 4; content: "|00000000|"; distance: 1; within: 5; content: "|0000100000|"; distance: 2; within: 7; content: "|0040|"; distance: 3; within: 5; content: "|0000|"; distance: 3; within: 5; content: "|0000|"; distance: 2; within: 4; content: "|00|"; distance: 2; within: 3; content: "|0040|"; distance: 3; within: 5; content: "|0000|"; distance: 3; within: 5; content: "|000000|"; distance: 1; within: 4; content: "|00|"; distance: 2; within: 3; content: "|000040|"; distance: 2; within: 5; sid: 2009000487; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FishPE V10X - hellfish]"; flow: established,to_client; content: "|60E8|"; content: "|C390090000002C000000|"; distance: 4; within: 14; content: "|C4030000BCA0000000400100|"; distance: 4; within: 16; content: "|0000000000000000000000000000000099000000008A000000100000|"; distance: 4; within: 32; content: "|0000|"; distance: 2; within: 4; content: "|000002000000A0000018010000|"; distance: 4; within: 17; content: "|00000C000000B00000380A0000|"; distance: 4; within: 17; content: "|000000000000C0000040390000|"; distance: 4; within: 17; content: "|000008000000000100C8060000|"; distance: 4; within: 17; sid: 2009000488; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FixupPak v120]"; flow: established,to_client; content: "|55E8000000005D81ED|"; content: "|0000BE00|"; distance: 2; within: 6; content: "|000003F5BA0000|"; distance: 1; within: 8; content: "|2BD58BDD33C0AC3C00743D3C01740E3C02740E3C03740D03D82913EBE766ADEBF6ADEBF3AC0FB6C83C0074063C017409EB0A66AD0FB7C8EB03AD8BC8|"; distance: 2; within: 62; sid: 2009000489; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Fly-Crypter 10 - ut1lz]"; flow: established,to_client; content: "|558BEC83C4F053B818224444E87FF7FFFFE80AF1FFFFB809000000E85CF1FFFF8BD885DB7505E885FDFFFF83FB017505E87BFDFFFF83FB027505E8D1FDFFFF83FB037505E887FEFFFF83FB047505E85DFDFFFF83FB057505E8B3FDFFFF83FB067505E869FEFFFF83FB077505E85FFEFFFF83FB087505E895FDFFFF83FB097505E84BFEFFFF5BE89DF2FFFF90|"; sid: 2009000490; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeBASIC 016b]"; flow: established,to_client; content: "|5589E583EC08C7042401000000FF15|"; content: "|00E888FFFFFF89EC31C05DC389F65589E583EC08C7042402000000FF15|"; distance: 3; within: 32; content: "|00E868FFFFFF89EC31C05DC389F65589E583EC088B4508890424FF15|"; distance: 3; within: 31; content: "|0089EC5DC38D76008DBC27000000005589E583EC088B4508890424FF15|"; distance: 3; within: 32; content: "|0089EC5DC390909090909090909090|"; distance: 3; within: 18; sid: 2009000491; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeJoiner 151 - GlOFF]"; flow: established,to_client; content: "|9087FF9090B92B000000BA0710400083C2039087FF9090B9040000009087FF9033C9C7050930400000000000680001000068213040006A00E8B70200006A0068800000006A036A006A0068000000806821304000E88F020000A3193040009087FF908B150930400081C204010000F7DA6A026A0052|"; sid: 2009000492; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeJoiner 152 (Stub engine 16) - GlOFF]"; flow: established,to_client; content: "|E846FDFFFF50E80C000000FF2508204000FF250C204000FF2510204000FF2514204000FF2518204000FF251C204000FF2520204000FF2524204000FF2528204000FF2500204000|"; sid: 2009000493; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeJoiner 153 (Stub engine 17) - GlOFF]"; flow: established,to_client; content: "|E833FDFFFF50E80D000000CCFF2508204000FF250C204000FF2510204000FF2514204000FF2518204000FF251C204000FF2520204000FF2524204000FF2528204000FF2500204000|"; sid: 2009000494; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeJoiner 153 (Stub engine 171) - GlOFF]"; flow: established,to_client; content: "|E802FDFFFF6A00E80D000000CCFF2580104000FF2584104000FF2588104000FF258C104000FF2590104000FF2594104000FF2598104000FF259C104000FF25A0104000FF25A8104000|"; sid: 2009000495; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeJoiner Small (build 014-021024-027) - GlOFF]"; flow: established,to_client; content: "|E8|"; content: "|FFFF6A00E80D000000CCFF2578104000FF257C104000FF2580104000FF2584104000FF2588104000FF258C104000FF2590104000FF2594104000FF2598104000FF259C104000FF25A0104000FF25A4104000FF25AC104000|"; distance: 2; within: 90; sid: 2009000496; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeJoiner Small (build 023) - GlOFF]"; flow: established,to_client; content: "|E8E1FDFFFF6A00E80C000000FF2578104000FF257C104000FF2580104000FF2584104000FF2588104000FF258C104000FF2590104000FF2594104000FF2598104000FF259C104000FF25A0104000FF25A4104000FF25AC104000|"; sid: 2009000497; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeJoiner Small (build 029) - GlOFF]"; flow: established,to_client; content: "|5032C48AC358E8DEFDFFFF6A00E80D000000CCFF2578104000FF257C104000FF2580104000FF2584104000FF2588104000FF258C104000FF2590104000FF2594104000FF2598104000FF259C104000FF25A0104000FF25A4104000FF25AC104000|"; sid: 2009000498; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeJoiner Small (build 031032) - GlOFF]"; flow: established,to_client; content: "|5032|"; content: "|668BC358E8|"; distance: 1; within: 6; content: "|FDFFFF6A00E80D000000CCFF2578104000FF257C104000FF2580104000FF2584104000FF2588104000FF258C104000FF2590104000FF2594104000FF2598104000FF259C104000FF25A0104000FF25A4104000FF25AC104000|"; distance: 1; within: 90; sid: 2009000499; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeJoiner Small (build 033) - GlOFF]"; flow: established,to_client; content: "|506633C3668BC158E8ACFDFFFF6A00E80D000000CCFF2578104000FF257C104000FF2580104000FF2584104000FF2588104000FF258C104000FF2590104000FF2594104000FF2598104000FF259C104000FF25A0104000FF25A4104000FF25AC104000|"; sid: 2009000500; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FreeJoiner Small (build 035) - GlOFF]"; flow: established,to_client; content: "|5133CB86C959E89EFDFFFF6687DB6A00E80C000000FF2578104000FF257C104000FF2580104000FF2584104000FF2588104000FF258C104000FF2590104000FF2594104000FF2598104000FF259C104000FF25A0104000FF25A4104000FF25AC104000|"; sid: 2009000501; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Freshbind v20 - gFresh]"; flow: established,to_client; content: "|64A1000000005589E56AFF681CA04100|"; sid: 2009000502; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Frusion - biff]"; flow: established,to_client; content: "|83EC0C535556576804010000C7442414|"; sid: 2009000503; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG 131 - dulekxt]"; flow: established,to_client; content: "|BE|"; content: "|00BF|"; distance: 3; within: 5; content: "|00BB|"; distance: 3; within: 5; content: "|0053BB|"; distance: 3; within: 6; content: "|00B280|"; distance: 3; within: 6; sid: 2009000504; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v10]"; flow: established,to_client; content: "|BBD0014000BF00104000BE|"; content: "|53E80A00000002D275058A164612D2C3FCB280A46A025B|"; distance: 4; within: 27; sid: 2009000505; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v100 (Eng) - dulekxt]"; flow: established,to_client; content: "|BBD0014000BF00104000BE|"; content: "|0053E80A00000002D275058A164612D2C3FCB280A46A025BFF142473F733C9FF1424731833C0FF14247321B30241B010FF142412C073F9753FAAEBDCE8430000002BCB7510E838|"; distance: 3; within: 74; sid: 2009000506; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v11]"; flow: established,to_client; content: "|BBD00140|"; content: "|BF|"; distance: 1; within: 2; content: "|1040|"; distance: 1; within: 3; content: "|BE|"; distance: 1; within: 2; content: "|FCB2808A064688074702D275058A16|"; distance: 4; within: 19; sid: 2009000507; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - bartxt]"; flow: established,to_client; content: "|BBD0014000BF00104000BE|"; content: "|0053E80A00000002D275058A164612D2C3B280A46A025BFF142473F733C9FF1424731833C0FF14247321B30241B010FF142412C073F9753FAAEBDCE8430000002BCB7510E83800|"; distance: 3; within: 74; sid: 2009000508; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - bartxt - (Watcom CC EXE)]"; flow: established,to_client; content: "|EB02CD2003|"; content: "|8D|"; distance: 1; within: 2; content: "|80|"; distance: 1; within: 2; content: "|00|"; distance: 2; within: 3; content: "|EB02|"; distance: 9; within: 11; sid: 2009000509; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - bartxt - WinRAR-SFX]"; flow: established,to_client; content: "|80E9A1C1C11368E4167546C1C1055EEB019D6864863746EB028CE05FF7D0|"; sid: 2009000510; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - bartxt - WinRAR-SFX]"; flow: established,to_client; content: "|EB0102EB02CD20B880|"; content: "|4200EB0155BEF400000013DF13D80FB638D1F3F7|"; distance: 1; within: 21; sid: 2009000511; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt]"; flow: established,to_client; content: "|BBD00140|"; content: "|BF|"; distance: 1; within: 2; content: "|1040|"; distance: 1; within: 3; content: "|BE|"; distance: 1; within: 2; sid: 2009000512; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt]"; flow: established,to_client; content: "|E801000000|"; content: "|E8|"; distance: 2; within: 3; content: "|000000|"; distance: 1; within: 4; sid: 2009000513; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt]"; flow: established,to_client; content: "|EB01|"; content: "|EB02|"; distance: 1; within: 3; content: "|80|"; distance: 3; within: 4; content: "|00|"; distance: 2; within: 3; sid: 2009000514; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland C 1999)]"; flow: established,to_client; content: "|EB02CD202BC86880|"; content: "|00EB021EBB5EEB02CD2068B12B6E37405B0FB6C9|"; distance: 2; within: 22; sid: 2009000515; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland C)]"; flow: established,to_client; content: "|23CAEB025A0DE8020000006A3558C1C910BE80|"; content: "|000FB6C9EB02CD20BB|"; distance: 2; within: 11; sid: 2009000516; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland C)]"; flow: established,to_client; content: "|23CAEB025A0DE8020000006A3558C1C910BE80|"; content: "|000FB6C9EB02CD20BBF4000000EB0204FAEB01FAEB015FEB02CD208A16EB02113180E931EB023011C1E91180EA04EB02F0EA33CB81EAABAB190804D503C280EA|"; distance: 2; within: 66; sid: 2009000517; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland Delphi Borland C)]"; flow: established,to_client; content: "|2BC2E802000000954A598D3D52F12AE8C1C81CBE2E|"; content: "|18EB02ABA003F7|"; distance: 2; within: 9; sid: 2009000518; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland Delphi Borland C)]"; flow: established,to_client; content: "|2BC2E802000000954A598D3D52F12AE8C1C81CBE2E|"; content: "|18EB02ABA003F7EB02CD2068F40000000BC75B03CB8A068A16E8020000008D4659EB01A402D3EB02CD2002D3E80200000057AB5881C2AA87ACB90FBEC980|"; distance: 2; within: 64; sid: 2009000519; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland Delphi Borland C)]"; flow: established,to_client; content: "|EB012EEB02A555BB80|"; content: "|0087FE8D05AACEE063EB0175BA5ECEE063EB02|"; distance: 2; within: 21; sid: 2009000520; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland Delphi Microsoft Visual C ASM)]"; flow: established,to_client; content: "|EB02CD20EB02CD20EB02CD20C1E618BB80|"; content: "|00EB0282B8EB01108D05F4|"; distance: 2; within: 13; sid: 2009000521; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland Delphi Microsoft Visual C)]"; flow: established,to_client; content: "|1BDBE8020000001A0D5B6880|"; content: "|00E801000000EA5A58EB02CD2068F4000000EB02CD205E0FB6D080CA5C8B38EB0135EB02DC9781EFF7651743E80200000097CB5B81C7B28BA10C8BD183EF17EB020C6583EF4313|"; distance: 2; within: 73; sid: 2009000522; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland Delphi Microsoft Visual C)]"; flow: established,to_client; content: "|C1C810EB010FBF03746677C1E91D6883|"; content: "|77EB02CD205EEB02CD202BF7|"; distance: 2; within: 14; sid: 2009000523; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland Delphi Microsoft Visual C)x]"; flow: established,to_client; content: "|1BDBE8020000001A0D5B6880|"; content: "|00E801000000EA5A58EB02CD2068F400|"; distance: 2; within: 18; sid: 2009000524; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Borland Delphi 20)]"; flow: established,to_client; content: "|EB0156E802000000B2D9596880|"; content: "|4100E8020000006532595EEB02CD20BB|"; distance: 1; within: 17; sid: 2009000525; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (MASM32 TASM32 Microsoft Visual Basic)]"; flow: established,to_client; content: "|F7D80FBEC2BE80|"; content: "|000FBEC9BF083B6507EB02D829BBECC59AF8EB0194|"; distance: 2; within: 23; sid: 2009000526; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (MASM32 TASM32)]"; flow: established,to_client; content: "|03F723FE33FBEB02CD20BB80|"; content: "|4000EB0186EB0190B8F400000083EE052B|"; distance: 1; within: 18; sid: 2009000527; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (MASM32 TASM32)]"; flow: established,to_client; content: "|03F723FE33FBEB02CD20BB80|"; content: "|4000EB0186EB0190B8F400000083EE052BF281F6EE000000EB02CD208A0BE802000000A9545EC1EE07F7D7EB01DE81E9B796A0C4EB016BEB02CD2080E94BC1CF08EB017180E91CEB|"; distance: 1; within: 73; sid: 2009000528; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (MASM32)]"; flow: established,to_client; content: "|EB01DBE80200000086435E8D1DD075CF83C1EE1D6850|"; content: "|8F83EB023D0F5A|"; distance: 1; within: 8; sid: 2009000529; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual Basic MASM32)]"; flow: established,to_client; content: "|EB0209940FB7FF6880|"; content: "|0081F68E0000005BEB0211C28D05F400000047|"; distance: 2; within: 21; sid: 2009000530; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual Basic 50 60)]"; flow: established,to_client; content: "|C1CB10EB010FB90374F6EE0FB6D38D0583|"; content: "|EF80F3F62BC1EB01DE6877|"; distance: 2; within: 13; sid: 2009000531; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 4x LCC Win32 1x)]"; flow: established,to_client; content: "|2C711BCAEB012AEB01658D3580|"; content: "|0080C98480C968BBF4000000EB01EB|"; distance: 2; within: 17; sid: 2009000532; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 50 60)]"; flow: established,to_client; content: "|33D20FBED2EB01C7EB01D88D0580|"; content: "|EB02CD20EB01F8BEF4000000EB|"; distance: 3; within: 16; sid: 2009000533; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60 70 ASM)]"; flow: established,to_client; content: "|E8010000005A5EE802000000BADD5E03F2EB0164BB80|"; content: "|008BFAEB01A8|"; distance: 2; within: 8; sid: 2009000534; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60 70)]"; flow: established,to_client; content: "|0BD08BDAE80200000040A05AEB019DB880|"; content: "|00EB02CD2003D38D35F4000000EB0135EB018880CA7C80F3748B38EB02ACBA03DBE801000000A55BC1C20B81C7DA100A4EEB01082BD183EF14EB02CD2033D383EF27|"; distance: 2; within: 68; sid: 2009000535; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60 70)]"; flow: established,to_client; content: "|0BD08BDAE80200000040A05AEB019DB880|"; content: "|EB02CD2003D38D35F400|"; distance: 3; within: 13; sid: 2009000536; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60 70)]"; flow: established,to_client; content: "|87FEE80200000098CC5FBB80|"; content: "|00EB02CD2068F4000000E801000000E3|"; distance: 2; within: 18; sid: 2009000537; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60 70)]"; flow: established,to_client; content: "|F7D84049EB02E00A8D3580|"; content: "|0FB6C2EB019C8D1DF4000000EB013C80|"; distance: 3; within: 19; sid: 2009000538; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60 70)]"; flow: established,to_client; content: "|F7DB80EABFB92F4067BAEB010168AF|"; content: "|A7BA80EA9D58C1C2092BC18BD768|"; distance: 1; within: 15; sid: 2009000539; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60 ASM)]"; flow: established,to_client; content: "|F7D0EB02CD20BEBB741CFBEB02CD20BF3B|"; content: "|FBC1C10333F7EB02CD2068|"; distance: 2; within: 13; sid: 2009000540; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|03DEEB01F8B880|"; content: "|4200EB02CD206817A0B3ABEB01E8590FB6DB680BA1B3|"; distance: 1; within: 23; sid: 2009000541; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|03DEEB01F8B880|"; content: "|4200EB02CD206817A0B3ABEB01E8590FB6DB680BA1B3ABEB02CD205E80CBAA2BF1EB02CD20430FBE3813D680C3472BFEEB01F403FEEB024F4E81EF93537C3C80C32981F78A8F678B80C3C72BFE|"; distance: 1; within: 78; sid: 2009000542; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|91EB02CD20BF50BC046F91BED0|"; content: "|6FEB02CD202BF7EB02F0468D1DF400|"; distance: 2; within: 17; sid: 2009000543; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|C1CE10C1F60F6800|"; content: "|002BFA5B23F98D1580|"; distance: 2; within: 11; content: "|00E801000000B65E0B|"; distance: 2; within: 11; sid: 2009000544; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|D1E903C06880|"; content: "|00EB02CD205E40BBF400000033CA2BC70FB616EB013E|"; distance: 2; within: 24; sid: 2009000545; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|E8010000000E59E8010000005858BE80|"; content: "|00EB0261E968F4000000C1C8|"; distance: 2; within: 14; sid: 2009000546; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|EB014D83F64C6880|"; content: "|00EB02CD205BEB012368481C2B3AE80200000038|"; distance: 2; within: 22; sid: 2009000547; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|EB02AB35EB02B5C68D0580|"; content: "|00C1C211BEF4000000F7DBF7DB0FBE38E8|"; distance: 2; within: 19; sid: 2009000548; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|EB02CD20|"; content: "|CF|"; distance: 1; within: 2; content: "|80|"; distance: 2; within: 3; content: "|00|"; distance: 2; within: 3; content: "|00|"; distance: 8; within: 9; sid: 2009000549; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v110 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|F7DB80EABFB92F4067BAEB010168AF|"; content: "|BA80EA9D58C1C2092BC18BD768|"; distance: 2; within: 15; sid: 2009000550; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v12]"; flow: established,to_client; content: "|4B45524E454C33322E646C6C00004C6F61644C69627261727941000047657450726F634164647265737300|"; content: "|0000000000|"; distance: 1; within: 6; sid: 2009000551; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v120 (Eng) - dulekxt - (Borland C)]"; flow: established,to_client; content: "|C1F007EB02CD20BE80|"; content: "|001BC68D1DF40000000FB606EB02CD208A160FB6C3E801000000DC5980EA37EB02CD202AD3EB02CD2080EA731BCF32D3C1C80E80EA230FB6C902D3EB01B502D3EB02DB5B81C2F6567BF6|"; distance: 2; within: 76; sid: 2009000552; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v120 (Eng) - dulekxt - (Borland Delphi Borland C)]"; flow: established,to_client; content: "|0FBEC1EB010E8D35C3BEB622F7D16843|"; content: "|22EB02B5155FC1F11533F780E9F9BBF4000000EB028FD0EB0208AD8A162BC71BC780C27A4180EA10EB013C81EACFAEF1AAEB01EC81EABBC6ABEE2CE332D30BCB81EAAB|"; distance: 2; within: 69; sid: 2009000553; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v120 (Eng) - dulekxt - (Borland Delphi Microsoft Visual C)]"; flow: established,to_client; content: "|0FB6D0E8010000000C5AB880|"; content: "|00EB0200DE8D35F4000000F7D2EB020EEA8B38EB01A0C1F31181EF8488F44CEB02CD2083F72287D333FEC1C31983F726E802000000BCDE5A81EFF7EF6F18EB02CD2083EF7FEB01|"; distance: 2; within: 73; sid: 2009000554; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v120 (Eng) - dulekxt - (MASM32 TASM32)]"; flow: established,to_client; content: "|33C22CFB8D3D7E45B480E8020000008A45586802|"; content: "|8C7FEB02CD205E80C91603F7EB0240B068F400000080F12C5BC1E9050FB6C98A160FB6C90FBFC72AD3E802000000994C5880EA53C1C9162AD3E8020000009DCE|"; distance: 1; within: 65; sid: 2009000555; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v120 (Eng) - dulekxt - (Microsoft Visual C 60 70)]"; flow: established,to_client; content: "|EB02CD20EB01918D3580|"; content: "|0033C26883937E7D0CA45B23C36877937E7DEB01FA5FE802000000F7FB5833DFEB013FE8020000001188580FB616EB02CD20EB02862F2AD3EB02CD2080EA2FEB015232D380E9CD80EA|"; distance: 2; within: 75; sid: 2009000556; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v120 (Eng) - dulekxt - (Microsoft Visual C 60)]"; flow: established,to_client; content: "|C1E006EB02CD20EB0127EB0124BE80|"; content: "|420049EB01998D1DF4000000EB015CF7D81BCAEB01318A1680E941EB01C2C1E00AEB01A181EAA88C18A13446E801000000625932D3C1C902EB016880F21A0FBEC9F7D12AD3|"; distance: 1; within: 70; sid: 2009000557; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v13]"; flow: established,to_client; content: "|BBD0014000BF00104000BE|"; content: "|53E80A00000002D275058A164612D2C3B280A46A025BFF142473F733C9FF1424731833C0FF14247321B30241B010FF142412C073F9753FAAEBDCE8430000002BCB7510E83800|"; distance: 4; within: 74; sid: 2009000558; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v131]"; flow: established,to_client; content: "|BBD0014000BF00104000BE|"; content: "|53BB|"; distance: 4; within: 6; content: "|B280A4B680FFD373F933C9|"; distance: 4; within: 15; sid: 2009000559; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v131 (Eng) - dulekxt]"; flow: established,to_client; content: "|BBD0014000BF00104000BE|"; content: "|0053BB|"; distance: 3; within: 6; content: "|00B280A4B680FFD373F933C9FFD3731633C0FFD37323B68041B010FFD312C073FA7542AAEBE0E84600000002F683D9017510E838000000EB28ACD1E8744813C9EB|"; distance: 3; within: 68; sid: 2009000560; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v133]"; flow: established,to_client; content: "|BEA4014000AD93AD97AD5696B280A4B680FF1373|"; sid: 2009000561; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v133 (Eng) - dulekxt]"; flow: established,to_client; content: "|BEA4014000AD93AD97AD5696B280A4B680FF1373F933C9FF13731633C0FF|"; sid: 2009000562; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v133 (Eng) - dulekxt]"; flow: established,to_client; content: "|BEA4014000AD93AD97AD5696B280A4B680FF1373F933C9FF13731633C0FF13731FB68041B010FF1312C073FA753CAAEBE0FF530802F683D901750EFF5304EB26ACD1E8742F13C9EB1A9148C1E008ACFF53043D007D|"; sid: 2009000563; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FSG v20 - bartxt]"; flow: established,to_client; content: "|8725|"; content: "|00619455A4B680FF13|"; distance: 3; within: 12; sid: 2009000564; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FucknJoy v10c - UsAr]"; flow: established,to_client; content: "|60E8000000005D81EDD8054000FF742420E88C0200000BC00F842C01000089856C0840008D852F08400050FFB56C084000E8EF0200000BC00F840C01000089853B0840008D853F08400050FFB56C084000E8CF0200|"; sid: 2009000565; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[FucknJoy v10c - UsAr]"; flow: established,to_client; content: "|60E8000000005D81EDD8054000FF742420E88C0200000BC00F842C01000089856C0840008D852F08400050FFB56C084000E8EF0200000BC00F840C01000089853B0840008D853F08400050FFB56C084000E8CF0200000BC00F84EC00000089854D0840008D855108400050FFB56C084000E8AF0200000BC00F84CC00000089855C0840008D8567074000E87B0200008DB5C4074000566A64FF957407400046803E0075FAC706746D702E83C604C706657865008D8536074000E84C02000033DB53536A02535368000000408D85C407400050FF95740740008985780740008D8551074000E8210200006A008D857C074000506800|"; content: "|008D85F209400050FF|"; distance: 2; within: 11; sid: 2009000566; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Fusion 10 - jaNooNi]"; flow: established,to_client; content: "|68043040006804304000E8090300006804304000E8C7020000|"; sid: 2009000567; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[GameGuard - nProtect]"; flow: established,to_client; content: "|31FF740661E94A4D50305ABA7D000000807C240801E90000000060BE|"; content: "|31FF740661E94A4D50308DBE|"; distance: 4; within: 16; content: "|31C9740661E94A4D5030B87D00000039C2B84C000000F7D0753F64A13000000085C078238B400C8B400CC740200010000064A1180000008B40300FB6400285C07516E91200000031C064A02000000085C07505E901000000615783CDFFEB0B908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB7507|"; distance: 4; within: 128; sid: 2009000568; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[GameGuard v20065xx (*dll) - sign by hot_UNP]"; flow: established,to_client; content: "|31FF740661E94A4D5030BA4C000000807C2408010F85|"; content: "|01000060BE00|"; distance: 1; within: 7; sid: 2009000569; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[GameGuard v20065xx (*exe) - sign by hot_UNP]"; flow: established,to_client; content: "|31FF740661E94A4D50305ABA7D000000807C240801E90000000060BE00|"; sid: 2009000570; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Gamehouse Media Protector Version Unknown]"; flow: established,to_client; content: "|68|"; content: "|6A00FF15|"; distance: 4; within: 8; content: "|50FF15|"; distance: 4; within: 7; content: "|0000000000000000|"; distance: 3; within: 11; sid: 2009000571; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Gardian Angel 10]"; flow: established,to_client; content: "|068CC88ED88EC0FCBF|"; content: "|EB|"; distance: 2; within: 3; sid: 2009000572; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[GHF Protector (pack only) -- GPcH]"; flow: established,to_client; content: "|6068|"; content: "|B8|"; distance: 4; within: 5; content: "|FF1068|"; distance: 4; within: 7; content: "|50B8|"; distance: 4; within: 6; content: "|FF1068000000006A40FFD08905|"; distance: 4; within: 17; content: "|89C7BE|"; distance: 4; within: 7; content: "|60FCB28031DBA4B302E86D00000073F631C9E864000000731C31C0E85B0000007323B30241B010E84F00000010C073F7753FAAEBD4E84D00000029D97510E842000000EB28ACD1E8744D11C9EB1C9148C1E008ACE82C0000003D007D0000730A80FC05730683F87F770241419589E8B3015689FE29C6F3A45EEB8E00D275058A164610D2C331C941E8EEFFFFFF11C9E8E7FFFFFF72F2C361B9FCFFFFFF8B1C088999|"; distance: 4; within: 166; content: "|E2F59090BA|"; distance: 4; within: 9; content: "|BE|"; distance: 4; within: 5; content: "|01D68B460C85C00F848700000001D089C350B8|"; distance: 4; within: 23; content: "|FF1085C0750853B8|"; distance: 4; within: 12; content: "|FF108905|"; distance: 4; within: 8; content: "|C705|"; distance: 4; within: 6; content: "|00000000BA|"; distance: 4; within: 9; content: "|8B0685C075038B461001D00305|"; distance: 4; within: 17; content: "|8B188B7E1001D7033D|"; distance: 4; within: 13; content: "|85DB742BF7C300000080750401D3434381E3FFFFFF0F53FF35|"; distance: 4; within: 29; content: "|B8|"; distance: 4; within: 5; content: "|FF1089078305|"; distance: 4; within: 10; content: "|04EBAE83C614BA|"; distance: 4; within: 11; content: "|E96EFFFFFF68|"; distance: 4; within: 10; content: "|B8|"; distance: 4; within: 5; content: "|FF1068|"; distance: 4; within: 7; content: "|50B8|"; distance: 4; within: 6; content: "|FF108B15|"; distance: 4; within: 8; content: "|52FFD061BA|"; distance: 4; within: 9; content: "|FFE290C3|"; distance: 4; within: 8; sid: 2009000573; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Goats Mutilator V16 - Goat_e0f]"; flow: established,to_client; content: "|E8EA0B0000|"; content: "|8B1C79F663D88D22B0BFF64908C302BD3B6C294613285D|"; distance: 3; within: 26; sid: 2009000574; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HACKSTOP v100]"; flow: established,to_client; content: "|FABD|"; content: "|FFE56A49480C|"; distance: 2; within: 8; content: "|E4|"; distance: 1; within: 2; content: "|3F983F|"; distance: 1; within: 4; sid: 2009000575; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HACKSTOP v110 v111]"; flow: established,to_client; content: "|B430CD2186E03D|"; content: "|73|"; distance: 2; within: 3; content: "|B42FCD21B0|"; distance: 1; within: 6; content: "|B44CCD2150B8|"; distance: 1; within: 7; content: "|58EB|"; distance: 2; within: 4; sid: 2009000576; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HACKSTOP v110p1]"; flow: established,to_client; content: "|B430CD2186E03D000373|"; content: "|B42FCD21B42ACD21B42CCD21B0FFB44CCD2150B8|"; distance: 1; within: 21; content: "|58EB|"; distance: 2; within: 4; sid: 2009000577; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HACKSTOP v111c]"; flow: established,to_client; content: "|B430CD2186E03D|"; content: "|73|"; distance: 2; within: 3; content: "|B4|"; distance: 1; within: 2; content: "|CD21B0|"; distance: 1; within: 4; content: "|B44CCD2153BB|"; distance: 1; within: 7; content: "|5BEB|"; distance: 2; within: 4; sid: 2009000578; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HACKSTOP v113]"; flow: established,to_client; content: "|52B8|"; content: "|1ECD2186E03D|"; distance: 2; within: 8; content: "|73|"; distance: 2; within: 3; content: "|CD200E1FB409E8|"; distance: 1; within: 8; content: "|24|"; distance: 2; within: 3; content: "|EA|"; distance: 1; within: 2; sid: 2009000579; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HACKSTOP v118]"; flow: established,to_client; content: "|52BA|"; content: "|5AEB|"; distance: 2; within: 4; content: "|9A|"; distance: 1; within: 2; content: "|30CD21|"; distance: 4; within: 7; content: "|FD02|"; distance: 3; within: 5; content: "|CD200E1F52BA|"; distance: 2; within: 8; content: "|5AEB|"; distance: 2; within: 4; sid: 2009000580; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HACKSTOP v119]"; flow: established,to_client; content: "|52BA|"; content: "|5AEB|"; distance: 2; within: 4; content: "|9A|"; distance: 1; within: 2; content: "|30CD21|"; distance: 4; within: 7; content: "|D602|"; distance: 3; within: 5; content: "|CD200E1F52BA|"; distance: 2; within: 8; content: "|5AEB|"; distance: 2; within: 4; sid: 2009000581; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Hardlock dongle (Alladin)]"; flow: established,to_client; content: "|5C5C2E5C484152444C4F434B2E565844000000005C5C2E5C46456E7465446576|"; sid: 2009000582; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Hasp dongle (Alladin)]"; flow: established,to_client; content: "|5053515257568B751C8B3E|"; content: "|8B5D088AFB|"; distance: 5; within: 10; content: "|035D108B450C8B4D148B551880FF32|"; distance: 2; within: 17; sid: 2009000583; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HASP HL Protection V1X - Aladdin]"; flow: established,to_client; content: "|558BEC535657608BC4A3|"; content: "|B8|"; distance: 4; within: 5; content: "|2B05|"; distance: 4; within: 6; content: "|A3|"; distance: 4; within: 5; content: "|833D|"; distance: 4; within: 6; content: "|0074158B0D|"; distance: 4; within: 9; content: "|51FF15|"; distance: 4; within: 7; content: "|83C404E9A500000068|"; distance: 4; within: 13; content: "|FF15|"; distance: 4; within: 6; content: "|A3|"; distance: 4; within: 5; content: "|68|"; distance: 4; within: 5; content: "|FF15|"; distance: 4; within: 6; sid: 2009000584; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HASP HL Protection V1X - Aladdin]"; flow: established,to_client; content: "|558BEC535657608BC4A3|"; content: "|B8|"; distance: 4; within: 5; content: "|2B05|"; distance: 4; within: 6; content: "|A3|"; distance: 4; within: 5; content: "|833D|"; distance: 4; within: 6; content: "|0074158B0D|"; distance: 4; within: 9; content: "|51FF15|"; distance: 4; within: 7; content: "|83C404E9A500000068|"; distance: 4; within: 13; content: "|FF15|"; distance: 4; within: 6; content: "|A3|"; distance: 4; within: 5; content: "|68|"; distance: 4; within: 5; content: "|FF15|"; distance: 4; within: 6; content: "|A3|"; distance: 4; within: 5; content: "|8B15|"; distance: 4; within: 6; sid: 2009000585; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HEALTH v51 by Muslim MPolyak]"; flow: established,to_client; content: "|1EE8|"; content: "|2E8C06|"; distance: 2; within: 5; content: "|2E893E|"; distance: 2; within: 5; content: "|8BD7B8|"; distance: 2; within: 5; content: "|CD218BD80E1FE8|"; distance: 2; within: 9; content: "|0657A1|"; distance: 2; within: 5; content: "|26|"; distance: 2; within: 3; sid: 2009000586; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[hmimys Protect v10]"; flow: established,to_client; content: "|E8BA000000|"; content: "|00000000|"; distance: 1; within: 5; content: "|0000104000|"; distance: 2; within: 7; content: "|00|"; distance: 3; within: 4; content: "|0000|"; distance: 3; within: 5; content: "|00|"; distance: 2; within: 3; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00000000000000|"; distance: 1; within: 8; content: "|000000000000000000|"; distance: 3; within: 12; content: "|00|"; distance: 3; within: 4; content: "|000000000000000000000000000000000000000000|"; distance: 3; within: 24; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00000000004B65726E656C33322E646C6C0000004C6F61644C6962726172794100000047657450726F63416464726573730000005669727475616C467265650000005669727475616C416C6C6F63005E83C664AD50AD5083EE6CAD50AD50AD50AD50AD50E8E7070000AD8BDE8BF083C344AD85C074328BF856FF138BE8AC84C075FBAC84C074EA4EADA9|"; distance: 3; within: 141; sid: 2009000587; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[hmimyss PE-Pack 01 - hmimys]"; flow: established,to_client; content: "|E8000000005D83ED056A00FF95E10E00008985850E00008B583C03D881C3F800000080AD890E000001899D630F00008B4B0C038D850E00008B530880BD890E000000750C038D910E00002B95910E0000898D570F000089955B0F00008B5B10899D5F0F00008B9D5F0F00008B85570F00005350E8B70B00008985730F00006A046800100000506A00FF95E90E000089856B0F00006A04680010000068D87C00006A00FF95E90E000089856F0F00008D85670F00008B9D730F00008B8D6B0F00008B955B0F000083EA0E8BB5570F000083C60E8BBD6F0F0000505351525668D87C000057E8010100008B9D570F00008B033C0175|"; sid: 2009000588; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[hmimys-Packer V12 - hmimys]"; flow: established,to_client; content: "|E895000000|"; content: "|5EAD50AD5097AD50AD50AD50E8C0010000AD50AD9387DEB9|"; distance: 149; within: 173; content: "|E31D8A074704|"; distance: 4; within: 10; content: "|3C|"; distance: 1; within: 2; content: "|73F78B073C|"; distance: 1; within: 6; content: "|75F3B0000FC805|"; distance: 1; within: 8; content: "|2BC7ABE2E3AD85C0742B9756FF138BE8AC84C075FB66AD6685C074E9AC83EE0384C074085655FF5304ABEBE4AD5055FF5304ABEBE0C38B0A3B4A04750AC74210010000000CFFC3|"; distance: 4; within: 75; sid: 2009000589; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[HPA]"; flow: established,to_client; content: "|E8|"; content: "|5E8BD683|"; distance: 2; within: 6; content: "|83|"; distance: 2; within: 3; content: "|060E1E0E1F33FF8CD3|"; distance: 2; within: 11; sid: 2009000590; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[hyings PEArmor V076 - hying]"; flow: established,to_client; content: "|E90000000060E8140000005D81ED000000006A|"; content: "|E8A3000000|"; distance: 1; within: 6; sid: 2009000591; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ICrypt 10 - by BuGGz]"; flow: established,to_client; content: "|558BEC83C4EC53565733C08945ECB8703B0010E83CFAFFFF33C055686C3C001064FF306489206A0A687C3C0010A15056001050E8D8FAFFFF8BD853A15056001050E80AFBFFFF8BF853A15056001050E8D4FAFFFF8BD853E8D4FAFFFF8BF085F674268BD74AB864560010E825F6FFFFB864560010E813F6FFFF8BCF8BD6E8E6FAFFFF53E890FAFFFF8D4DECBA8C3C0010A164560010E816FBFFFF8B55ECB864560010E8C5F4FFFFB864560010E8DBF5FFFFE856FCFFFF33C05A595964891068733C00108D45ECE84DF4FFFFC3E9E3EEFFFFEBF05F5E5BE84DF3FFFF00534554|"; content: "|00FFFFFFFF08000000766F747265636C65|"; distance: 4; within: 21; sid: 2009000592; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ID Application Protector 12 - ID Security Suite]"; flow: established,to_client; content: "|60E8000000005D81EDF20B4700B91922470081E9EA0E470089EA81C2EA0E47008D3A89FE31C0E9D3020000CCCCCCCCE9CA020000433A5C57696E646F77735C536F66745761726550726F746563746F725C|"; sid: 2009000593; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ILUCRYPT v4015 [exe]]"; flow: established,to_client; content: "|8BECFAC746F7|"; content: "|4281FA|"; distance: 2; within: 5; content: "|75F9FF66F7|"; distance: 2; within: 7; sid: 2009000594; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[iLUCRYPT v4018 [exe]]"; flow: established,to_client; content: "|8BECFAC7|"; content: "|4C4CC3FBBF|"; distance: 4; within: 9; content: "|B8|"; distance: 2; within: 3; content: "|2E|"; distance: 2; within: 3; content: "|D1C84F81|"; distance: 2; within: 6; sid: 2009000595; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Imploder v104 -- BoB BobSoft]"; flow: established,to_client; content: "|60E8A000000000000000000000000000000036|"; content: "|2E|"; distance: 3; within: 4; content: "|000000000000000000000000000000000000000001000080000000004B65726E656C33322E44|"; distance: 3; within: 41; sid: 2009000596; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[IMPostor Pack 10 - Mahdi Hezavehi]"; flow: established,to_client; content: "|BE|"; content: "|0083C601FFE600000000|"; distance: 3; within: 13; content: "|000000000000000000|"; distance: 2; within: 11; content: "|00|"; distance: 3; within: 4; content: "|02|"; distance: 1; within: 2; content: "|00100000000200|"; distance: 2; within: 9; sid: 2009000597; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Inbuild v10 [hard]]"; flow: established,to_client; content: "|B9|"; content: "|BB|"; distance: 2; within: 3; content: "|2E|"; distance: 2; within: 3; content: "|2E|"; distance: 2; within: 3; content: "|43E2|"; distance: 2; within: 4; sid: 2009000598; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Inno Setup Module]"; flow: established,to_client; content: "|496E6E6F53657475704C647257696E646F770000535441544943|"; sid: 2009000599; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Inno Setup Module v109a]"; flow: established,to_client; content: "|558BEC83C4C053565733C08945F08945C48945C0E8A77FFFFFE8FA92FFFFE8F1B3FFFF33C0|"; sid: 2009000600; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Inno Setup Module v129]"; flow: established,to_client; content: "|558BEC83C4C053565733C08945F08945EC8945C0E85B73FFFFE8D687FFFFE8C5A9FFFFE8E0|"; sid: 2009000601; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Install Stub 32-bit]"; flow: established,to_client; content: "|558BEC81EC14|"; content: "|00005356576A00FF15|"; distance: 1; within: 10; content: "|68|"; distance: 4; within: 5; content: "|FF15|"; distance: 4; within: 6; content: "|85C07429|"; distance: 4; within: 8; sid: 2009000602; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[InstallAnywhere 61 - Zero G Software Inc]"; flow: established,to_client; content: "|60BE00A042008DBE0070FDFF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0|"; sid: 2009000603; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[InstallAnywhere 61 -Zero G Software Inc]"; flow: established,to_client; content: "|60BE00A042008DBE0070FDFF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB7507|"; sid: 2009000604; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[InstallShield 2000]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64A1|"; distance: 4; within: 6; content: "|50648925|"; distance: 4; within: 8; content: "|83C4|"; distance: 4; within: 6; content: "|535657|"; distance: 1; within: 4; sid: 2009000605; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[InstallShield Custom]"; flow: established,to_client; content: "|558BEC83EC4456FF15|"; content: "|41008BF085F675086AFFFF15|"; distance: 2; within: 14; content: "|41008A06578B3D|"; distance: 2; within: 9; content: "|41003C22751B56FFD78BF08A063C22740484C075F1803E22751556FFD78B|"; distance: 2; within: 32; sid: 2009000606; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Ionic Wind Software]"; flow: established,to_client; content: "|9BDBE39BDBE2D92D00|"; content: "|005589E5E8|"; distance: 2; within: 7; sid: 2009000607; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[iPB Protect 013 - 017 - forgot]"; flow: established,to_client; content: "|558BEC6AFF684B435546685449485364A100000000|"; sid: 2009000608; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[IProtect 10 (Fxlibdll mode) - by FuXdas]"; flow: established,to_client; content: "|EB332E4655584C6F61644C696272617279410046784C69622E646C6C000000000000000000000000000000000000000000|"; content: "|0060E8000000005D81ED71104000FF742420E8400000000BC0742F8985631040008D853C10400050FFB563104000E8920000000BC0741389855F1040008D854910400050FF955F1040008B85671040008944241C61FFE08B7C24048D85001040005064FF35000000008D855310400089208968048D9D0A1140008958086489250000000081E70000FFFF66813F4D5A750F8BF703763C813E504500007502EB1781EF0000010081FF000000707307BF0000F7BFEB02EBD397648F050000000083C404C204008D85001040005064FF35000000008D855310400089208968048D9D0A114000895808648925000000008B74240C66813E4D5A7405E98A00000003763C813E504500007402EB7D8B7C2410B99600000032C0F2AE8BCF2B4C24108B56780354240C8B5A20035C240C33C08B3B037C240C8B74241051F3A6750583C404EB0A5983C304403B421875E23B42187502EB358B72240374240C52BB0200000033D2F7E35A03C633C9668B088B7A1C33D2BB040000008BC1F7E30344240C03C78B000344240CEB0233C0648F050000000083C404C20800E8FAFDFFFF|"; distance: 3; within: 415; sid: 2009000609; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[IProtect 10 (FxSubdll mode) - by FuXdas]"; flow: established,to_client; content: "|EB332E4655584C6F61644C696272617279410046785375622E646C6C000000000000000000000000000000000000000000|"; content: "|0060E8000000005D81EDB6134000FF742420E8400000000BC0742F8985A81340008D858113400050FFB5A8134000E8920000000BC074138985A41340008D858E13400050FF95A41340008B85AC1340008944241C61FFE08B7C24048D85001040005064FF35000000008D859813400089208968048D9D4F1440008958086489250000000081E70000FFFF66813F4D5A750F8BF703763C813E504500007502EB1781EF0000010081FF000000707307BF0000F7BFEB02EBD397648F050000000083C404C204008D85001040005064FF35000000008D859813400089208968048D9D4F144000895808648925000000008B74240C66813E4D5A7405E98A00000003763C813E504500007402EB7D8B7C2410B99600000032C0F2AE8BCF2B4C24108B56780354240C8B5A20035C240C33C08B3B037C240C8B74241051F3A6750583C404EB0A5983C304403B421875E23B42187502EB358B72240374240C52BB0200000033D2F7E35A03C633C9668B088B7A1C33D2BB040000008BC1F7E30344240C03C78B000344240CEB0233C0648F050000000083C404C20800E8B5FAFFFF|"; distance: 3; within: 415; sid: 2009000610; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JAM v211]"; flow: established,to_client; content: "|50061607BE|"; content: "|8BFEB9|"; distance: 2; within: 5; content: "|FDFAF32EA5FB06BD|"; distance: 2; within: 10; content: "|55CB|"; distance: 2; within: 4; sid: 2009000611; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JDPack]"; flow: established,to_client; content: "|60E8|"; content: "|5D8BD581ED|"; distance: 4; within: 9; content: "|2B95|"; distance: 4; within: 6; content: "|81EA06|"; distance: 4; within: 7; content: "|8995|"; distance: 3; within: 5; content: "|83BD45|"; distance: 4; within: 7; sid: 2009000612; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JDPack 2x - JDPack]"; flow: established,to_client; content: "|558BEC6AFF6868514000680425400064A100000000|"; sid: 2009000613; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JDPack V200 - JDPack]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64A1000000005064892500000000|"; distance: 4; within: 18; content: "|E801000000|"; distance: 3; within: 8; content: "|050000000083C40C5D60E8000000005D8BD564FF3500000000EB|"; distance: 6; within: 32; sid: 2009000614; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[JExeCompressor 10 - by Arash Veyskarami]"; flow: established,to_client; content: "|8D2DD34AE5140FBBF70FBAE5730FAFD58D0D0C9FE611C0F8EFF6DE80DC5BF6DA0FA5C10FC1F11CF34A81E18C1F66910FBEC611EE0FC0E733D964F2C0DC730FC0D5558BECBAC01F41008BC2B99700000080327950B802000000500314245858512BC9B90100000083EA01E2FB59E2E1FFE0|"; sid: 2009000615; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Joiner (sign from pinch 25032007 2010)]"; flow: established,to_client; content: "|81EC040100008BF46804010000566A00E87C01000033C06A0068800000006A036A006A00680000008056E8500100008BD86A006A006A006A026A0053E84401|"; sid: 2009000616; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[KByS V022 - shoooo]"; flow: established,to_client; content: "|68|"; content: "|E801000000C3C31155078BECB8|"; distance: 4; within: 17; content: "|E8|"; distance: 4; within: 5; sid: 2009000617; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[KByS V028 - shoooo]"; flow: established,to_client; content: "|68|"; content: "|E801000000C3C3608B7424248B7C2428FCB28033DBA4|"; distance: 4; within: 26; sid: 2009000618; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[KByS V028 DLL - shoooo]"; flow: established,to_client; content: "|B8|"; content: "|BA|"; distance: 4; within: 5; content: "|03C2FFE0|"; distance: 4; within: 8; content: "|60E800000000|"; distance: 4; within: 10; sid: 2009000619; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[KGB SFX]"; flow: established,to_client; content: "|60BE00A046008DBE0070F9FF5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73|"; sid: 2009000620; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[KGCrypt vxx]"; flow: established,to_client; content: "|E8|"; content: "|5D81ED|"; distance: 4; within: 7; content: "|64A130|"; distance: 4; within: 7; content: "|84C074|"; distance: 3; within: 6; content: "|64A120|"; distance: 1; within: 4; content: "|0BC074|"; distance: 3; within: 6; sid: 2009000621; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[kkrunchy - Ryd]"; flow: established,to_client; content: "|BD08|"; content: "|00C74500|"; distance: 2; within: 6; content: "|00FF4D08C6450C058D7D1431C0B40489C1F3ABBF|"; distance: 3; within: 23; content: "|0057BE|"; distance: 3; within: 6; content: "|0031C941FF4D0C8D9C8DA0000000FFD610C973F3FF450C91AA83C9FF8D5C8D18FFD674DDE3178D5D1CFFD67410|"; distance: 3; within: 48; sid: 2009000622; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[kkrunchy 023 alpha - Ryd]"; flow: established,to_client; content: "|BD08|"; content: "|00C74500|"; distance: 2; within: 6; content: "|00FF4D08C6450C058D7D1431C0B40489C1F3ABBF|"; distance: 3; within: 23; content: "|0057BE|"; distance: 3; within: 6; content: "|0031C941FF4D0C8D9C8DA0000000FFD610C973F3FF450C91AA83C9FF8D5C8D18FFD674DDE3178D5D1CFFD674108D9DA0080000E8|"; distance: 3; within: 55; content: "|0000008B4510EB428D9DA0040000E8|"; distance: 1; within: 16; content: "|000000494978408D5D20740383C34031D242E8|"; distance: 1; within: 20; content: "|0000008D0C48F6C21074F341918D9DA0080000E8|"; distance: 1; within: 21; content: "|0000003D0008000083D9FF83F86083D9FF8945105689FE29C6F3A45EEB90BE|"; distance: 1; within: 32; content: "|00BB|"; distance: 3; within: 5; content: "|005546AD85C074|"; distance: 3; within: 10; content: "|9756FF1385C0741695AC84C075FB380674E878|"; distance: 1; within: 20; content: "|5655FF5304AB85C0|"; distance: 1; within: 9; sid: 2009000623; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[kkrunchy 023 alpha 2 - Ryd]"; flow: established,to_client; content: "|BD|"; content: "|C74500|"; distance: 4; within: 7; content: "|00B8|"; distance: 3; within: 5; content: "|0089450489455450C74510|"; distance: 3; within: 14; content: "|00FF4D0CFF4514FF4558C6451C08B8000800008D7D30ABABABABBB0000D800BF|"; distance: 3; within: 35; sid: 2009000624; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[kkrunchy 023 alpha 2 - Ryd]"; flow: established,to_client; content: "|BD|"; content: "|C74500|"; distance: 4; within: 7; content: "|00B8|"; distance: 3; within: 5; content: "|0089450489455450C74510|"; distance: 3; within: 14; content: "|00FF4D0CFF4514FF4558C6451C08B8000800008D7D30ABABABABBB0000D800BF|"; distance: 3; within: 35; content: "|0131C9418D740901B8CA8E2A2E99F7F601C389D8C1E815ABFEC175E8BE|"; distance: 3; within: 32; sid: 2009000625; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[kkrunchy V02X - Ryd]"; flow: established,to_client; content: "|BD|"; content: "|C745|"; distance: 4; within: 6; content: "|FF4D08C6450C058D7D1431C0B40489C1F3ABBF|"; distance: 5; within: 24; content: "|57BE|"; distance: 4; within: 6; content: "|31C941FF4D0C8D9C8DA0000000FFD6|"; distance: 4; within: 19; sid: 2009000626; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Krypton v02]"; flow: established,to_client; content: "|8B0C24E90A7C01|"; content: "|AD4240BDBE9D7A04|"; distance: 1; within: 9; sid: 2009000627; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Krypton v03]"; flow: established,to_client; content: "|8B0C24E9C08D01|"; content: "|C13A6ECA5D7E796DB3645A71EA|"; distance: 1; within: 14; sid: 2009000628; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Krypton v04]"; flow: established,to_client; content: "|54E8|"; content: "|5D8BC581ED6134|"; distance: 4; within: 11; content: "|2B856037|"; distance: 2; within: 6; content: "|83E806|"; distance: 2; within: 5; sid: 2009000629; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Krypton v05]"; flow: established,to_client; content: "|54E8|"; content: "|5D8BC581ED7144|"; distance: 4; within: 11; content: "|2B856460|"; distance: 2; within: 6; content: "|EB43DF|"; distance: 2; within: 5; sid: 2009000630; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[kryptor 5]"; flow: established,to_client; content: "|E803|"; content: "|E9EB6C5840FFE0|"; distance: 3; within: 10; sid: 2009000631; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[kryptor 6]"; flow: established,to_client; content: "|E803|"; content: "|E9EB685833D27402E9E940427502|"; distance: 3; within: 17; sid: 2009000632; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[kryptor 9]"; flow: established,to_client; content: "|60E8|"; content: "|5EB9|"; distance: 4; within: 6; content: "|2BC002040ED3C04979F8418D7E2C3346|"; distance: 4; within: 20; content: "|66B9|"; distance: 1; within: 3; sid: 2009000633; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[LameCrypt - LaZaRus]"; flow: established,to_client; content: "|60669CBB00|"; content: "|0080B300104000904B83FBFF75F3669D61B8|"; distance: 2; within: 20; content: "|4000FFE0|"; distance: 2; within: 6; sid: 2009000634; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[LameCrypt v10]"; flow: established,to_client; content: "|60669CBB|"; content: "|80B300104000904B83FBFF75F3669D61|"; distance: 4; within: 20; sid: 2009000635; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[LamerStop v10c (c) Stefan Esser]"; flow: established,to_client; content: "|E8|"; content: "|05|"; distance: 2; within: 3; content: "|CD2133C08EC026|"; distance: 2; within: 9; content: "|2E|"; distance: 3; within: 4; content: "|26|"; distance: 3; within: 4; content: "|2E|"; distance: 3; within: 4; content: "|BA|"; distance: 3; within: 4; content: "|FA|"; distance: 2; within: 3; sid: 2009000636; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[LaunchAnywhere v4001]"; flow: established,to_client; content: "|5589E55383EC4855B8FFFFFFFF505068E03E420064FF35000000006489250000000068C0694400E8E480FFFF59E84E290000E8C90D000085C075086AFFE86E2B000059E8A82C0000E8232E0000FF154CC2440089C3|"; sid: 2009000637; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[LOCK98 V10028 - keenvim]"; flow: established,to_client; content: "|55E8000000005D81|"; content: "|EB05E9|"; distance: 5; within: 8; content: "|EB08|"; distance: 4; within: 6; sid: 2009000638; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Lockless Intro Pack]"; flow: established,to_client; content: "|2CE8|"; content: "|5D8BC581EDF673|"; distance: 4; within: 11; content: "|2B85|"; distance: 2; within: 4; content: "|83E8068985|"; distance: 4; within: 9; sid: 2009000639; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[LTC v13]"; flow: established,to_client; content: "|54E8000000005D8BC581EDF67340002B858775400083E806|"; sid: 2009000640; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Macromedia Windows Flash ProjectorPlayer v30]"; flow: established,to_client; content: "|558BEC83EC4456FF15941342008BF0B1228A063AC175138A4601463AC1740484C075F4380E750D46EB0A3C207E06|"; sid: 2009000641; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Macromedia Windows Flash ProjectorPlayer v40]"; flow: established,to_client; content: "|83EC4456FF15244143008BF08A063C22751C8A4601463C22740C84C074088A4601463C2275F4803E22750F46EB0C|"; sid: 2009000642; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Macromedia Windows Flash ProjectorPlayer v50]"; flow: established,to_client; content: "|83EC4456FF15706144008BF08A063C22751C8A4601463C22740C84C074088A4601463C2275F4803E22750F46EB0C3C207E088A4601463C207FF88A0684C0740C3C207F088A46014684C075F48D442404C744243000|"; sid: 2009000643; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Macromedia Windows Flash ProjectorPlayer v60]"; flow: established,to_client; content: "|83EC4456FF15248149008BF08A063C22751C8A4601463C22740C84C074088A4601463C2275F4803E22750F46EB0C|"; sid: 2009000644; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MASM32]"; flow: established,to_client; content: "|6A|"; content: "|680030400068|"; distance: 1; within: 7; content: "|3040006A00E8070000006A00E806000000FF250820|"; distance: 1; within: 22; sid: 2009000645; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Matrix Dongle - TDi GmbH]"; flow: established,to_client; content: "|E800000000E800000000595A2BCA2BD1E81AFFFFFF|"; sid: 2009000646; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MEGALITE v120a]"; flow: established,to_client; content: "|B8|"; content: "|BA|"; distance: 2; within: 3; content: "|05|"; distance: 2; within: 3; content: "|3B2D73|"; distance: 2; within: 5; content: "|72|"; distance: 1; within: 2; content: "|B409BA|"; distance: 1; within: 4; content: "|CD21CD90|"; distance: 2; within: 6; sid: 2009000647; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Mew 10 exe-coder 10 - Northfox [HCC]]"; flow: established,to_client; content: "|33C0E9|"; content: "|FFFF6A|"; distance: 2; within: 5; content: "|70|"; distance: 5; within: 6; sid: 2009000648; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Mew 11 SE v12 (Eng) - Northfox]"; flow: established,to_client; content: "|E9|"; content: "|FF0C|"; distance: 3; within: 5; content: "|000000000000000000|"; distance: 2; within: 11; content: "|000C|"; distance: 3; within: 5; sid: 2009000649; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MEW 11 SE v12 - Northfox[HCC]]"; flow: established,to_client; content: "|E9|"; content: "|FF0C|"; distance: 3; within: 5; content: "|000000000000000000|"; distance: 2; within: 11; content: "|000C|"; distance: 3; within: 5; content: "|00|"; distance: 2; within: 3; sid: 2009000650; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MEW 5 10 - Northfox]"; flow: established,to_client; content: "|BE5B004000AD91AD9353AD96565FACC0C0|"; sid: 2009000651; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Mew 501 - NorthFox HCC]"; flow: established,to_client; content: "|BE5B004000AD91AD9353AD96565FACC0C0|"; content: "|04|"; distance: 1; within: 2; content: "|C0C8|"; distance: 1; within: 3; content: "|AAE2F4C300|"; distance: 1; within: 6; content: "|00|"; distance: 2; within: 3; content: "|00001040004D455720302E31206279204E6F727468666F78004D455720302E31206279204E6F727468666F78004D455720302E31206279204E6F727468666F78004D455720302E31206279204E6F727468666F78004D|"; distance: 3; within: 89; sid: 2009000652; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MicroJoiner 11 - coban2k]"; flow: established,to_client; content: "|BE0C704000BBF811400033ED83EE04392E7411|"; sid: 2009000653; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MicroJoiner 15 - coban2k]"; flow: established,to_client; content: "|BF0510400083EC308BECE8C8FFFFFFE8C3FFFFFF|"; sid: 2009000654; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MicroJoiner 16 - coban2k]"; flow: established,to_client; content: "|33C0648B38488BC8F2AFAF8B1F6633DB66813B|"; sid: 2009000655; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MicroJoiner 17 - coban2k]"; flow: established,to_client; content: "|BF001040008D5F216A0A586A04596057E88E000000|"; sid: 2009000656; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Microsoft Visual C V80]"; flow: established,to_client; content: "|6A1468|"; content: "|E8|"; distance: 4; within: 5; content: "|BB94000000536A008B|"; distance: 4; within: 13; content: "|FFD750FF|"; distance: 5; within: 9; content: "|8BF085F6750A6A12E8|"; distance: 5; within: 14; content: "|59EB18891E56FF|"; distance: 4; within: 11; content: "|5685C0751450FFD750FF|"; distance: 5; within: 15; content: "|B8|"; distance: 5; within: 6; sid: 2009000657; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Microsoft Visual C V80 (Debug)]"; flow: established,to_client; content: "|E9|"; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; sid: 2009000658; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MinGW GCC 3x]"; flow: established,to_client; content: "|5589E583EC08C70424|"; content: "|000000FF15|"; distance: 1; within: 6; content: "|E8|"; distance: 4; within: 5; content: "|FFFF|"; distance: 2; within: 4; content: "|55|"; distance: 8; within: 9; sid: 2009000659; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Minke 101 - by Codius]"; flow: established,to_client; content: "|558BEC83C4F053|"; content: "|10E87AF6FFFFBE6866001033C05568DB40001064FF30648920E8FAF8FFFFBAEC4000108BC6E8F2FAFFFF8BD8B86C6600108B16E888F2FFFFB86C660010E876F2FFFF8BD08BC38B0EE8E3E4FFFFE82AF9FFFFE8C1F8FFFFB86C6600108B16E86DFAFFFFE814F9FFFFE8ABF8FFFF8B06E8B8E3FFFF8BD8B86C660010E838F2FFFF8BD38B0EE8A7E4FF|"; distance: 5; within: 141; content: "|C4FBFFFFE8E7F8FFFF8BC3E8B0E3FFFFE8DBF8FFFF33C05A595964891068E2400010C3E950EBFFFFEBF85E5BE8BBEFFFFF00000043413138|"; distance: 4; within: 60; sid: 2009000660; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[modified HACKSTOP v111f]"; flow: established,to_client; content: "|52B430CD2152FA|"; content: "|FB3D|"; distance: 1; within: 3; content: "|EB|"; distance: 2; within: 3; content: "|CD200E1FB409E8|"; distance: 1; within: 8; sid: 2009000661; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MoleBox V23X - MoleStudiocom]"; flow: established,to_client; content: "|E80000000060E84F000000|"; sid: 2009000662; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[mPack 003 - DeltaAziz]"; flow: established,to_client; content: "|558BEC83C4F033C08945F0B8A8760010E867C4FFFF33C05568C278001064FF306489208D55F033C0E893C8FFFF8B45F0E887CBFFFFA308A5001033C05568A578001064FF30648920A108A50010E8FAC9FFFF83F8FF750AE888B2FFFFE91B010000C70514A5001032000000A108A500108B1514A50010E8C9C9FFFFBA14A50010A108A50010B904000000E8C5C9FFFF833D14A5001032770AE847B2FFFFE9DA000000A108A500108B1514A50010E892C9FFFFBA18A5|"; sid: 2009000663; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MS Visual C v8 DLL (h-small sig1)]"; flow: established,to_client; content: "|8BFF558BEC837D0C017505E8|"; content: "|FF5DE9D6FEFFFFCCCCCCCCCC|"; distance: 3; within: 15; sid: 2009000664; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MS Visual C v8 DLL (h-small sig2)]"; flow: established,to_client; content: "|8BFF558BEC538B5D08568B750C85F6578B7D100F84|"; content: "|000083FE01|"; distance: 2; within: 7; sid: 2009000665; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[muckis protector I - mucki]"; flow: established,to_client; content: "|BE|"; content: "|B9|"; distance: 4; within: 5; content: "|8A06F6D0880646E2F7E9|"; distance: 4; within: 14; sid: 2009000666; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[muckis protector II - mucki]"; flow: established,to_client; content: "|E8240000008B4C240CC70117000100C781B80000000000000031C0894114894118806A00E885C07412648B3D180000008B7F300FB6470285C07401C3C70424|"; content: "|BE|"; distance: 4; within: 5; content: "|B9|"; distance: 4; within: 5; content: "|8A06F6D0880646E2F7C3|"; distance: 4; within: 14; sid: 2009000667; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MZ0oPE 106b -- TaskFall]"; flow: established,to_client; content: "|EBCA890383C30487FE32C0AE75FD87FE803EFF75E2465B83C304538B1B803FFF75C98BE56168|"; content: "|C3|"; distance: 4; within: 5; sid: 2009000668; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[MZ0oPE 106b - TaskFall]"; flow: established,to_client; content: "|EBCA890383C30487FE32C0AE75FD87FE803EFF75E2465B83C304538B1B803FFF75C98BE56168|"; content: "|C3FCB28033DBA4B302E86D00000073F633C9E864000000731C33C0E85B0000007323B30241B010E84F00000012C073F7753FAAEBD4E84D0000002BCB7510E842000000EB28ACD1E8744C13C9EB1C9148C1E008ACE82C0000003D007D0000730A80FC05730683F87F77024141958BC5B301568BF72BF0F3A45EEB8E02D275058A164612D2C333C941E8EEFFFFFF13C9E8E7FFFFFF72F2C3|"; distance: 4; within: 155; sid: 2009000669; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[N-Joiner 01 (Asm Version) - NEX]"; flow: established,to_client; content: "|6A00680014400068001040006A00E8140000006A00E813000000CCFF25AC124000FF25B0124000FF25B4124000FF25B8124000FF25BC124000FF25C0124000FF25C4124000FF25C8124000FF25CC124000FF25D0124000FF25D4124000FF25D8124000FF25DC124000FF25E4124000FF25EC124000|"; sid: 2009000670; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[N-Joy 10 - NEX]"; flow: established,to_client; content: "|558BEC83C4F0B89C3B4000E88CFCFFFF6A0068E43940006A0A6A00E840FDFFFFE8EFF5FFFF8D4000|"; sid: 2009000671; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[N-Joy 11 - NEX]"; flow: established,to_client; content: "|558BEC83C4F0B80C3C4000E824FCFFFF6A0068283A40006A0A6A00E8D8FCFFFFE87FF5FFFF8D4000|"; sid: 2009000672; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[N-Joy 12 - NEX]"; flow: established,to_client; content: "|558BEC83C4F0B8A4324000E8E8F1FFFF6A0068542A40006A0A6A00E8A8F2FFFFE8C7EAFFFF8D4000|"; sid: 2009000673; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[N-Joy 13 - NEX]"; flow: established,to_client; content: "|558BEC83C4F0B848364000E854EEFFFF6A0068D82B40006A0A6A00E82CEFFFFFE823E7FFFF8D4000|"; sid: 2009000674; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Nakedbind 10 - nakedcrew]"; flow: established,to_client; content: "|648B38488BC8F2AFAF8B1F6633DB66813B4D5A740881EB0000|"; sid: 2009000675; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Native UD Packer 11 (Modded Poison Ivy Shellcode) - okkixot]"; flow: established,to_client; content: "|31C031DB31C9EB0E6A006A006A006A00FF1528414000FF159440400089C76888130000FF1598404000FF159440400081C78813000039F87305E9840000006A406800100000FF35043040006A00FF15A440400089C7FF350430400068CA10400050FF15A84040006A406800100000FF35083040006A00FF15A440400089C66800304000FF350430400057FF3508304000506A02FF154E4140006A006A006A00566A006A00FF159C404000506A006A006A1150FF154A414000586AFF50FF15AC4040006A00FF15A040|"; sid: 2009000676; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[nbuild v10 [soft]]"; flow: established,to_client; content: "|B9|"; content: "|BB|"; distance: 2; within: 3; content: "|C0|"; distance: 2; within: 3; content: "|80|"; distance: 2; within: 3; content: "|43E2|"; distance: 2; within: 4; sid: 2009000677; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NeoLite v10]"; flow: established,to_client; content: "|8B4424048D5424FC2305|"; content: "|E8|"; distance: 4; within: 5; content: "|FF35|"; distance: 4; within: 6; content: "|50FF25|"; distance: 4; within: 7; sid: 2009000678; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NeoLite v20]"; flow: established,to_client; content: "|E9|"; content: "|4E656F4C697465|"; distance: 28; within: 35; sid: 2009000679; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NeoLite v200]"; flow: established,to_client; content: "|8B4424042305|"; content: "|50E8|"; distance: 4; within: 6; content: "|83C404FE05|"; distance: 4; within: 9; content: "|0BC074|"; distance: 4; within: 7; sid: 2009000680; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NFO v10]"; flow: established,to_client; content: "|8D50122BC9B11E8A023477880242E2F7C88C|"; sid: 2009000681; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Ningishzida 10 - CyberDoom]"; flow: established,to_client; content: "|9C6096E8000000005D81ED03254000B9041B00008DBD4B2540008BF7AC|"; content: "|AAE2CC|"; distance: 48; within: 51; sid: 2009000682; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NoodleCrypt v20]"; flow: established,to_client; content: "|EB019AE83D000000EB019AE8EB010000EB019AE82C040000EB01|"; sid: 2009000683; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NoodleCrypt v200 (Eng) - NoodleSpa]"; flow: established,to_client; content: "|EB019AE876000000EB019AE865000000EB019AE87D000000EB019AE855000000EB019AE843040000EB019AE8E1000000EB019AE83D000000EB019AE8EB010000EB019AE82C040000EB019AE825000000EB019AE802|"; sid: 2009000684; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Noodlecrypt2 - rsc]"; flow: established,to_client; content: "|EB019AE876000000|"; sid: 2009000685; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[North Star PE Shrinker 13 - Liuxingping]"; flow: established,to_client; content: "|9C60E8000000005DB8B38540002DAC8540002BE88DB5|"; sid: 2009000686; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[nPack 111502006Beta - NEOx]"; flow: established,to_client; content: "|833D|"; content: "|7505E901000000C3E841000000B8|"; distance: 5; within: 19; content: "|2B05|"; distance: 4; within: 6; content: "|A3|"; distance: 4; within: 5; content: "|E85E000000E8E0010000E8EC060000E8F7050000A1|"; distance: 4; within: 25; content: "|C705|"; distance: 4; within: 6; content: "|0105|"; distance: 8; within: 10; content: "|FF35|"; distance: 4; within: 6; content: "|C3C3565768|"; distance: 4; within: 9; content: "|FF15|"; distance: 4; within: 6; content: "|8B35|"; distance: 4; within: 6; content: "|8BF868|"; distance: 4; within: 7; content: "|57FFD668|"; distance: 4; within: 8; content: "|57A3|"; distance: 4; within: 6; content: "|FFD65FA3|"; distance: 4; within: 8; content: "|5EC3|"; distance: 4; within: 6; sid: 2009000687; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[nPack 113002006 Beta - NEOx]"; flow: established,to_client; content: "|833D|"; content: "|7505E901000000C3E846000000E873000000B8|"; distance: 5; within: 24; content: "|2B05|"; distance: 4; within: 6; content: "|A3|"; distance: 4; within: 5; content: "|E89C000000E82D020000E8DD060000E82C060000A1|"; distance: 4; within: 25; content: "|C705|"; distance: 4; within: 6; content: "|0105|"; distance: 8; within: 10; content: "|FF35|"; distance: 4; within: 6; content: "|C3C3565768|"; distance: 4; within: 9; content: "|FF15|"; distance: 4; within: 6; content: "|8B35|"; distance: 4; within: 6; content: "|8BF868|"; distance: 4; within: 7; content: "|57FFD668|"; distance: 4; within: 8; content: "|57A3|"; distance: 4; within: 6; content: "|FFD65FA3|"; distance: 4; within: 8; content: "|5EC3|"; distance: 4; within: 6; sid: 2009000688; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[nPack v11 150-200 Beta - NEOx]"; flow: established,to_client; content: "|833D40|"; content: "|007505E901000000C3E841000000B880|"; distance: 3; within: 19; content: "|2B0508|"; distance: 3; within: 6; content: "|A33C|"; distance: 3; within: 5; content: "|00E85E000000E8E0010000E8EC060000E8F7050000|"; distance: 2; within: 23; sid: 2009000689; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[nPack v11 250 Beta - NEOx]"; flow: established,to_client; content: "|833D04|"; content: "|007505E901000000C3E846000000E873000000B82E|"; distance: 3; within: 24; content: "|2B0508|"; distance: 3; within: 6; content: "|A300|"; distance: 3; within: 5; content: "|E89C000000E804020000E8FB060000E81B060000A100|"; distance: 3; within: 25; content: "|C70504|"; distance: 3; within: 6; content: "|01000000010500|"; distance: 3; within: 10; content: "|FF3500|"; distance: 3; within: 6; sid: 2009000690; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[nPack V111502006Beta - NEOx[uinC]]"; flow: established,to_client; content: "|833D40|"; content: "|007505E901000000C3E841000000B880|"; distance: 3; within: 19; content: "|2B0508|"; distance: 3; within: 6; content: "|A33C|"; distance: 3; within: 5; content: "|E85E000000E8E0010000E8EC060000E8F7050000A13C|"; distance: 3; within: 25; content: "|C70540|"; distance: 3; within: 6; content: "|01000000010500|"; distance: 3; within: 10; content: "|FF3500|"; distance: 3; within: 6; content: "|C3C3|"; distance: 3; within: 5; sid: 2009000691; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[nPack V112002006Beta - NEOx[uinC]]"; flow: established,to_client; content: "|833D40|"; content: "|007505E901000000C3E841000000B880|"; distance: 3; within: 19; content: "|2B0508|"; distance: 3; within: 6; content: "|A33C|"; distance: 3; within: 5; content: "|E85E000000E8EC010000E8F8060000E803060000A13C|"; distance: 3; within: 25; content: "|C70540|"; distance: 3; within: 6; content: "|01000000010500|"; distance: 3; within: 10; content: "|FF3500|"; distance: 3; within: 6; content: "|C3C3|"; distance: 3; within: 5; sid: 2009000692; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NSIS Installer -- NullSoft]"; flow: established,to_client; content: "|83EC2053555633DB57895C2418C7442410|"; content: "|C644241420FF153070400053FF158072400068|"; distance: 4; within: 23; content: "|68|"; distance: 4; within: 5; content: "|A3|"; distance: 4; within: 5; content: "|E8|"; distance: 4; within: 5; content: "|BE|"; distance: 4; within: 5; sid: 2009000693; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPack 14 - Liuxingping]"; flow: established,to_client; content: "|9C60E8000000005DB8|"; content: "|40002D|"; distance: 2; within: 5; content: "|4000|"; distance: 2; within: 4; sid: 2009000694; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPack 29 - North Star]"; flow: established,to_client; content: "|9C60E8000000005DB8070000002BE88DB5|"; content: "|FFFF8A063C0074128BF58DB5|"; distance: 2; within: 14; content: "|FFFF8A063C010F8442020000C606018BD52B95|"; distance: 2; within: 21; content: "|FFFF8995|"; distance: 2; within: 6; content: "|FFFF0195|"; distance: 2; within: 6; content: "|FFFF8DB5|"; distance: 2; within: 6; content: "|FFFF0116606A40680010000068001000006A00FF95|"; distance: 2; within: 23; content: "|FFFF85C00F846A0300008985|"; distance: 2; within: 14; content: "|FFFFE8000000005BB96803000003D95053E8B1020000618B368BFD03BD|"; distance: 2; within: 31; content: "|FFFF8BDF833F00750A83C704B900000000EB16B901000000033B83C304833B007436|"; distance: 2; within: 36; sid: 2009000695; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPack 30 - North Star]"; flow: established,to_client; content: "|9C60E8000000005DB8070000002BE88DB5|"; content: "|FFFF668B066683F80074158BF58DB5|"; distance: 2; within: 17; content: "|FFFF668B066683F8010F8442020000C606018BD52B95|"; distance: 2; within: 24; content: "|FFFF8995|"; distance: 2; within: 6; content: "|FFFF0195|"; distance: 2; within: 6; content: "|FFFF8DB5|"; distance: 2; within: 6; content: "|FFFF0116606A40680010000068001000006A00FF95|"; distance: 2; within: 23; content: "|FFFF85C00F846A0300008985|"; distance: 2; within: 14; content: "|FFFFE8000000005BB96803000003D95053E8B1020000618B368BFD03BD|"; distance: 2; within: 31; content: "|FFFF8BDF833F00750A83C704B900000000EB16B901000000033B83C304833B007436|"; distance: 2; within: 36; sid: 2009000696; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPack 34 - North Star]"; flow: established,to_client; content: "|9C60E8000000005D83ED078D85|"; content: "|FFFF8038010F8442020000C600018BD52B95|"; distance: 2; within: 20; content: "|FFFF8995|"; distance: 2; within: 6; content: "|FFFF0195|"; distance: 2; within: 6; content: "|FFFF8DB5|"; distance: 2; within: 6; content: "|FFFF0116606A40680010000068001000006A00FF95|"; distance: 2; within: 23; content: "|FFFF85C00F846A0300008985|"; distance: 2; within: 14; content: "|FFFFE8000000005BB96803000003D95053E8B1020000618B368BFD03BD|"; distance: 2; within: 31; content: "|FFFF8BDF833F00750A83C704B900000000EB16B901000000033B83C304833B00743601138B33037B0457515253FFB5|"; distance: 2; within: 49; content: "|FFFFFFB5|"; distance: 2; within: 6; content: "|FFFF8BD68BCF8B85|"; distance: 2; within: 10; content: "|FFFF05AA050000FFD05B5A595F83F900740583C308EBC5|"; distance: 2; within: 25; sid: 2009000697; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NSPack 3x - Liu Xing Ping]"; flow: established,to_client; content: "|9C60E8000000005D83ED078D85|"; content: "|FFFF|"; distance: 2; within: 4; content: "|38010F84|"; distance: 1; within: 5; content: "|020000|"; distance: 1; within: 4; content: "|0001|"; distance: 1; within: 3; sid: 2009000698; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPack V11 - LiuXingPing]"; flow: established,to_client; content: "|9C60E8000000005DB8578440002D50844000|"; sid: 2009000699; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPack V13 - LiuXingPing]"; flow: established,to_client; content: "|9C60E8000000005DB8B38540002DAC854000|"; sid: 2009000700; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPack V14 - LiuXingPing]"; flow: established,to_client; content: "|9C60E8000000005DB8B18540002DAA854000|"; sid: 2009000701; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPacK V30 - LiuXingPing]"; flow: established,to_client; content: "|9C60E8000000005DB8070000002BE88DB5|"; content: "|668B066683F80074|"; distance: 4; within: 12; sid: 2009000702; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPacK V31 - LiuXingPing]"; flow: established,to_client; content: "|9C60E8000000005D83ED078D9D|"; content: "|8A033C0074|"; distance: 4; within: 9; sid: 2009000703; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPack v31 - North Star]"; flow: established,to_client; content: "|9C60E8000000005D83ED078D9D|"; content: "|FFFF8A033C0074108D9D|"; distance: 2; within: 12; content: "|FFFF8A033C010F8442020000C603018BD52B95|"; distance: 2; within: 21; content: "|FFFF8995|"; distance: 2; within: 6; content: "|FFFF0195|"; distance: 2; within: 6; content: "|FFFF8DB5|"; distance: 2; within: 6; content: "|FFFF0116606A40680010000068001000006A00|"; distance: 2; within: 21; sid: 2009000704; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPacK V33 - LiuXingPing]"; flow: established,to_client; content: "|9C60E8000000005D83ED078D85|"; content: "|80380074|"; distance: 4; within: 8; sid: 2009000705; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPacK V34-V35 - LiuXingPing]"; flow: established,to_client; content: "|9C60E8000000005D83ED078D85|"; content: "|8038010F84|"; distance: 4; within: 9; sid: 2009000706; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPacK V36 - LiuXingPing]"; flow: established,to_client; content: "|9C60E8000000005D83ED078D|"; content: "|8338010F8447020000|"; distance: 5; within: 14; sid: 2009000707; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NsPacK V37 - LiuXingPing]"; flow: established,to_client; content: "|9C60E8000000005D83ED078D|"; content: "|8039010F|"; distance: 5; within: 9; content: "|0000|"; distance: 3; within: 5; sid: 2009000708; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NTPacker 10 - ErazerZ]"; flow: established,to_client; content: "|558BEC83C4E05333C08945E08945E48945E88945ECB8|"; content: "|4000E8|"; distance: 2; within: 5; content: "|FFFF33C05568|"; distance: 2; within: 8; content: "|400064FF306489208D4DECBA|"; distance: 2; within: 14; content: "|4000A1|"; distance: 2; within: 5; content: "|4000E8|"; distance: 2; within: 5; content: "|FCFFFF8B55ECB8|"; distance: 1; within: 8; content: "|4000E8|"; distance: 2; within: 5; content: "|FFFF8D4DE8BA|"; distance: 2; within: 8; content: "|4000A1|"; distance: 2; within: 5; content: "|4000E8|"; distance: 2; within: 5; content: "|FEFFFF8B55E8B8|"; distance: 1; within: 8; content: "|4000E8|"; distance: 2; within: 5; content: "|FFFFB8|"; distance: 2; within: 5; content: "|4000E8|"; distance: 2; within: 5; content: "|FBFFFF8BD8A1|"; distance: 1; within: 7; content: "|4000BA|"; distance: 2; within: 5; content: "|4000E8|"; distance: 2; within: 5; content: "|FFFF75268BD3A1|"; distance: 2; within: 9; content: "|4000E8|"; distance: 2; within: 5; content: "|FFFF84C0752A8D55E433C0E8|"; distance: 2; within: 14; content: "|FFFF8B45E48BD3E8|"; distance: 2; within: 10; content: "|FFFFEB148D55E033C0E8|"; distance: 2; within: 12; content: "|FFFF8B45E08BD3E8|"; distance: 2; within: 10; content: "|FFFF6A00E8|"; distance: 2; within: 7; content: "|FFFF33C05A595964891068|"; distance: 2; within: 13; content: "|40008D45E0BA04000000E8|"; distance: 2; within: 13; content: "|FFFFC3E9|"; distance: 2; within: 6; content: "|FFFFEBEB5BE8|"; distance: 2; within: 8; content: "|FFFF000000FFFFFFFF0100000025000000FFFFFFFF010000005C000000FFFFFFFF060000005345525645520000FFFFFFFF0100000031|"; distance: 2; within: 56; sid: 2009000709; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Nullsoft Install System v198]"; flow: established,to_client; content: "|83EC0C535657FF152C8140|"; sid: 2009000710; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Nullsoft Install System v1xx]"; flow: established,to_client; content: "|558BEC83EC2C535633F657568975DC8975F4BBA49E4000FF1560704000BFC0B2400068040100005750A3ACB24000FF154C70400056566A03566A01680000008057FF159C7040008BF883FFFF897DEC0F84C3000000|"; sid: 2009000711; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Nullsoft Install System v1xx]"; flow: established,to_client; content: "|83EC0C535657FF152071400005E8030000BE60FD410089442410B320FF15287040006800040000FF15287140005056FF1508714000803D60FD410022750880C302BE61FD41008A068B3DF071400084C0740F3AC374|"; sid: 2009000712; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Nullsoft Install System v20b2 v20b3]"; flow: established,to_client; content: "|83EC0C53555657FF15|"; content: "|7040008B35|"; distance: 1; within: 6; content: "|92400005E803000089442414B320FF152C704000BF0004000068|"; distance: 1; within: 27; content: "|0057FF15|"; distance: 3; within: 7; content: "|400057FF15|"; distance: 2; within: 7; sid: 2009000713; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Nullsoft PIMP Install System v13x]"; flow: established,to_client; content: "|558BEC81EC|"; content: "|000056576A|"; distance: 2; within: 7; content: "|BE|"; distance: 1; within: 2; content: "|598DBD|"; distance: 4; within: 7; sid: 2009000714; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Nullsoft PIMP Install System v1x]"; flow: established,to_client; content: "|83EC5C53555657FF15|"; content: "|00|"; distance: 3; within: 4; sid: 2009000715; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[NX PE Packer v10]"; flow: established,to_client; content: "|FF60FFCAFF00BADC0DE040005000600070008000|"; sid: 2009000716; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1200 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E83F1E0000|"; distance: 2; within: 7; sid: 2009000717; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1258 - Obsidium Software]"; flow: established,to_client; content: "|EB01|"; content: "|E829000000EB02|"; distance: 1; within: 8; content: "|EB01|"; distance: 2; within: 4; content: "|8B54240CEB04|"; distance: 1; within: 7; content: "|8382B800000024EB04|"; distance: 4; within: 13; content: "|33C0EB02|"; distance: 4; within: 8; content: "|C3EB02|"; distance: 2; within: 5; content: "|EB03|"; distance: 2; within: 4; content: "|6467FF360000EB01|"; distance: 3; within: 11; content: "|646789260000EB03|"; distance: 1; within: 9; content: "|EB01|"; distance: 3; within: 5; content: "|50EB03|"; distance: 1; within: 4; content: "|33C0EB04|"; distance: 3; within: 7; content: "|8B00EB03|"; distance: 4; within: 8; content: "|C3EB01|"; distance: 3; within: 6; content: "|E9FA000000EB02|"; distance: 1; within: 8; content: "|E8D5FFFFFFEB04|"; distance: 2; within: 9; content: "|EB03|"; distance: 4; within: 6; content: "|EB01|"; distance: 3; within: 5; content: "|58EB01|"; distance: 1; within: 4; content: "|EB02|"; distance: 1; within: 3; content: "|64678F060000EB04|"; distance: 2; within: 10; content: "|83C404EB01|"; distance: 4; within: 9; content: "|E87B210000|"; distance: 1; within: 6; sid: 2009000718; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1300 - Obsidium Software]"; flow: established,to_client; content: "|EB04|"; content: "|E829000000EB02|"; distance: 4; within: 11; content: "|EB01|"; distance: 2; within: 4; content: "|8B54240CEB02|"; distance: 1; within: 7; content: "|8382B800000022EB02|"; distance: 2; within: 11; content: "|33C0EB04|"; distance: 2; within: 6; content: "|C3EB04|"; distance: 4; within: 7; content: "|EB04|"; distance: 4; within: 6; content: "|6467FF360000EB04|"; distance: 4; within: 12; content: "|646789260000EB04|"; distance: 4; within: 12; content: "|EB01|"; distance: 4; within: 6; content: "|50EB03|"; distance: 1; within: 4; content: "|33C0EB02|"; distance: 3; within: 7; content: "|8B00EB01|"; distance: 2; within: 6; content: "|C3EB04|"; distance: 1; within: 4; content: "|E9FA000000EB01|"; distance: 4; within: 11; content: "|E8D5FFFFFFEB02|"; distance: 1; within: 8; content: "|EB03|"; distance: 2; within: 4; content: "|58EB04|"; distance: 3; within: 6; content: "|EB01|"; distance: 4; within: 6; content: "|64678F060000EB02|"; distance: 1; within: 9; content: "|83C404EB02|"; distance: 2; within: 7; content: "|E847260000|"; distance: 2; within: 7; sid: 2009000719; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 13013 - Obsidium Software]"; flow: established,to_client; content: "|EB01|"; content: "|E826000000EB02|"; distance: 1; within: 8; content: "|EB02|"; distance: 2; within: 4; content: "|8B54240CEB01|"; distance: 2; within: 8; content: "|8382B800000021EB04|"; distance: 1; within: 10; content: "|33C0EB02|"; distance: 4; within: 8; content: "|C3EB01|"; distance: 2; within: 5; content: "|EB04|"; distance: 1; within: 3; content: "|6467FF360000EB02|"; distance: 4; within: 12; content: "|646789260000EB01|"; distance: 2; within: 10; content: "|EB03|"; distance: 1; within: 3; content: "|50EB01|"; distance: 3; within: 6; content: "|33C0EB03|"; distance: 1; within: 5; content: "|8B00EB02|"; distance: 3; within: 7; content: "|C3EB02|"; distance: 2; within: 5; content: "|E9FA000000EB01|"; distance: 2; within: 9; content: "|E8D5FFFFFFEB03|"; distance: 1; within: 8; content: "|EB02|"; distance: 3; within: 5; content: "|58EB03|"; distance: 2; within: 5; content: "|EB04|"; distance: 3; within: 5; content: "|64678F060000EB03|"; distance: 4; within: 12; content: "|83C404EB03|"; distance: 3; within: 8; content: "|E813260000|"; distance: 3; within: 8; sid: 2009000720; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 13017 - Obsidium software]"; flow: established,to_client; content: "|EB02|"; content: "|E828000000EB04|"; distance: 2; within: 9; content: "|EB01|"; distance: 4; within: 6; content: "|8B54240CEB01|"; distance: 1; within: 7; content: "|8382B800000025EB02|"; distance: 1; within: 10; content: "|33C0EB03|"; distance: 2; within: 6; content: "|C3EB03|"; distance: 3; within: 6; content: "|EB02|"; distance: 3; within: 5; content: "|6467FF360000EB01|"; distance: 2; within: 10; content: "|646789260000EB03|"; distance: 1; within: 9; content: "|EB04|"; distance: 3; within: 5; content: "|50EB04|"; distance: 4; within: 7; sid: 2009000721; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 13021 - Obsidium Software]"; flow: established,to_client; content: "|EB03|"; content: "|E82E000000EB04|"; distance: 3; within: 10; content: "|EB04|"; distance: 4; within: 6; content: "|8B54240CEB04|"; distance: 4; within: 10; content: "|8382B800000023EB01|"; distance: 4; within: 13; content: "|33C0EB04|"; distance: 1; within: 5; content: "|C3EB03|"; distance: 4; within: 7; content: "|EB02|"; distance: 3; within: 5; content: "|6467FF360000EB01|"; distance: 2; within: 10; content: "|646789260000EB02|"; distance: 1; within: 9; content: "|EB02|"; distance: 2; within: 4; content: "|50EB01|"; distance: 2; within: 5; content: "|33C0EB03|"; distance: 1; within: 5; content: "|8B00EB03|"; distance: 3; within: 7; content: "|C3EB03|"; distance: 3; within: 6; content: "|E9FA000000EB04|"; distance: 3; within: 10; content: "|E8D5FFFFFFEB01|"; distance: 4; within: 11; content: "|EB01|"; distance: 1; within: 3; content: "|58EB04|"; distance: 1; within: 4; content: "|EB04|"; distance: 4; within: 6; content: "|64678F060000EB03|"; distance: 4; within: 12; content: "|83C404EB04|"; distance: 3; within: 8; content: "|E82B260000|"; distance: 4; within: 9; sid: 2009000722; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 13037 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E826000000EB03|"; distance: 2; within: 9; content: "|EB01|"; distance: 3; within: 5; content: "|8B54240CEB04|"; distance: 1; within: 7; content: "|8382B800000026EB01|"; distance: 4; within: 13; content: "|33C0EB02|"; distance: 1; within: 5; content: "|C3EB01|"; distance: 2; within: 5; content: "|EB04|"; distance: 1; within: 3; content: "|6467FF360000EB01|"; distance: 4; within: 12; content: "|646789260000EB01|"; distance: 1; within: 9; content: "|EB03|"; distance: 1; within: 3; content: "|50EB03|"; distance: 3; within: 6; content: "|33C0EB03|"; distance: 3; within: 7; content: "|8B00EB04|"; distance: 3; within: 7; content: "|C3EB03|"; distance: 4; within: 7; content: "|E9FA000000EB03|"; distance: 3; within: 10; content: "|E8D5FFFFFFEB04|"; distance: 3; within: 10; content: "|EB01|"; distance: 4; within: 6; content: "|58EB02|"; distance: 1; within: 4; content: "|EB03|"; distance: 2; within: 4; content: "|64678F060000EB01|"; distance: 3; within: 11; content: "|83C404EB03|"; distance: 1; within: 6; content: "|E823270000|"; distance: 3; within: 8; sid: 2009000723; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1311 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E827000000EB02|"; distance: 2; within: 9; content: "|EB03|"; distance: 2; within: 4; content: "|8B54240CEB01|"; distance: 3; within: 9; content: "|8382B800000022EB04|"; distance: 1; within: 10; content: "|33C0EB01|"; distance: 4; within: 8; content: "|C3EB02|"; distance: 1; within: 4; content: "|EB02|"; distance: 2; within: 4; content: "|6467FF360000EB04|"; distance: 2; within: 10; content: "|646789260000EB01|"; distance: 4; within: 12; content: "|EB03|"; distance: 1; within: 3; content: "|50EB03|"; distance: 3; within: 6; content: "|33C0EB01|"; distance: 3; within: 7; content: "|8B00EB03|"; distance: 1; within: 5; content: "|C3EB01|"; distance: 3; within: 6; content: "|E9FA000000EB03|"; distance: 1; within: 8; content: "|E8D5FFFFFFEB01|"; distance: 3; within: 10; content: "|EB03|"; distance: 1; within: 3; content: "|58EB03|"; distance: 3; within: 6; content: "|EB01|"; distance: 3; within: 5; content: "|64678F060000EB01|"; distance: 1; within: 9; content: "|83C404EB03|"; distance: 1; within: 6; sid: 2009000724; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1322 - Obsidium Software]"; flow: established,to_client; content: "|EB04|"; content: "|E82A000000EB03|"; distance: 4; within: 11; content: "|EB04|"; distance: 3; within: 5; content: "|8B54240CEB02|"; distance: 4; within: 10; content: "|8382B800000026EB04|"; distance: 2; within: 11; content: "|33C0EB02|"; distance: 4; within: 8; content: "|C3EB01|"; distance: 2; within: 5; content: "|EB03|"; distance: 1; within: 3; content: "|6467FF360000EB02|"; distance: 3; within: 11; content: "|646789260000EB02|"; distance: 2; within: 10; content: "|EB01|"; distance: 2; within: 4; content: "|50EB04|"; distance: 1; within: 4; content: "|33C0EB04|"; distance: 4; within: 8; content: "|8B00EB02|"; distance: 4; within: 8; content: "|C3EB03|"; distance: 2; within: 5; content: "|E9FA000000EB04|"; distance: 3; within: 10; content: "|E8D5FFFFFFEB02|"; distance: 4; within: 11; content: "|EB04|"; distance: 2; within: 4; content: "|58EB01|"; distance: 4; within: 7; content: "|EB01|"; distance: 1; within: 3; content: "|64678F060000EB01|"; distance: 1; within: 9; content: "|83C404EB04|"; distance: 1; within: 6; sid: 2009000725; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1331 - Obsidium Software]"; flow: established,to_client; content: "|EB01|"; content: "|E829000000EB02|"; distance: 1; within: 8; content: "|EB03|"; distance: 2; within: 4; content: "|8B54240CEB02|"; distance: 3; within: 9; content: "|8382B800000024EB04|"; distance: 2; within: 11; content: "|33C0EB02|"; distance: 4; within: 8; content: "|C3EB02|"; distance: 2; within: 5; content: "|EB02|"; distance: 2; within: 4; content: "|6467FF360000EB04|"; distance: 2; within: 10; content: "|646789260000EB01|"; distance: 4; within: 12; content: "|EB02|"; distance: 1; within: 3; content: "|50EB01|"; distance: 2; within: 5; content: "|33C0EB04|"; distance: 1; within: 5; content: "|8B00EB03|"; distance: 4; within: 8; content: "|C3EB03|"; distance: 3; within: 6; content: "|E9FA000000EB02|"; distance: 3; within: 10; content: "|E8D5FFFFFFEB01|"; distance: 2; within: 9; content: "|EB04|"; distance: 1; within: 3; content: "|58EB02|"; distance: 4; within: 7; content: "|EB04|"; distance: 2; within: 4; content: "|64678F060000EB01|"; distance: 4; within: 12; content: "|83C404EB02|"; distance: 1; within: 6; content: "|E85F270000|"; distance: 2; within: 7; sid: 2009000726; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1332 - Obsidium Software]"; flow: established,to_client; content: "|EB01|"; content: "|E82B000000EB02|"; distance: 1; within: 8; content: "|EB02|"; distance: 2; within: 4; content: "|8B54240CEB03|"; distance: 2; within: 8; content: "|8382B800000024EB04|"; distance: 3; within: 12; content: "|33C0EB04|"; distance: 4; within: 8; content: "|C3EB02|"; distance: 4; within: 7; content: "|EB01|"; distance: 2; within: 4; content: "|6467FF360000EB03|"; distance: 1; within: 9; content: "|646789260000EB01|"; distance: 3; within: 11; content: "|EB02|"; distance: 1; within: 3; content: "|50EB02|"; distance: 2; within: 5; content: "|33C0EB02|"; distance: 2; within: 6; content: "|8B00EB02|"; distance: 2; within: 6; content: "|C3EB04|"; distance: 2; within: 5; content: "|E9FA000000EB03|"; distance: 4; within: 11; content: "|E8D5FFFFFFEB03|"; distance: 3; within: 10; content: "|EB01|"; distance: 3; within: 5; content: "|58EB01|"; distance: 1; within: 4; content: "|EB02|"; distance: 1; within: 3; content: "|64678F060000EB02|"; distance: 2; within: 10; content: "|83C404EB02|"; distance: 2; within: 7; content: "|E83B270000|"; distance: 2; within: 7; sid: 2009000727; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1333 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E829000000EB03|"; distance: 2; within: 9; content: "|EB03|"; distance: 3; within: 5; content: "|8B54240CEB01|"; distance: 3; within: 9; content: "|8382B800000028EB03|"; distance: 1; within: 10; content: "|33C0EB01|"; distance: 3; within: 7; content: "|C3EB04|"; distance: 1; within: 4; content: "|EB02|"; distance: 4; within: 6; content: "|6467FF360000EB04|"; distance: 2; within: 10; content: "|646789260000EB02|"; distance: 4; within: 12; content: "|EB04|"; distance: 2; within: 4; content: "|50EB04|"; distance: 4; within: 7; sid: 2009000728; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1333 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E829000000EB03|"; distance: 2; within: 9; content: "|EB03|"; distance: 3; within: 5; content: "|8B54240CEB01|"; distance: 3; within: 9; content: "|8382B800000028EB03|"; distance: 1; within: 10; content: "|33C0EB01|"; distance: 3; within: 7; content: "|C3EB04|"; distance: 1; within: 4; content: "|EB02|"; distance: 4; within: 6; content: "|6467FF360000EB04|"; distance: 2; within: 10; content: "|646789260000EB02|"; distance: 4; within: 12; content: "|EB04|"; distance: 2; within: 4; content: "|50EB04|"; distance: 4; within: 7; content: "|33C0EB01|"; distance: 4; within: 8; content: "|8B00EB03|"; distance: 1; within: 5; content: "|C3EB03|"; distance: 3; within: 6; content: "|E9FA000000EB03|"; distance: 3; within: 10; content: "|E8D5FFFFFFEB04|"; distance: 3; within: 10; content: "|EB04|"; distance: 4; within: 6; content: "|58EB01|"; distance: 4; within: 7; content: "|EB03|"; distance: 1; within: 3; content: "|64678F060000EB04|"; distance: 3; within: 11; content: "|83C404EB04|"; distance: 4; within: 9; content: "|E82B27|"; distance: 4; within: 7; sid: 2009000729; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1334 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E829000000EB03|"; distance: 2; within: 9; content: "|EB02|"; distance: 3; within: 5; content: "|8B54240CEB03|"; distance: 2; within: 8; content: "|8382B800000025EB02|"; distance: 3; within: 12; content: "|33C0EB02|"; distance: 2; within: 6; content: "|C3EB03|"; distance: 2; within: 5; content: "|EB01|"; distance: 3; within: 5; content: "|6467FF360000EB02|"; distance: 1; within: 9; content: "|646789260000EB02|"; distance: 2; within: 10; content: "|EB04|"; distance: 2; within: 4; content: "|50EB02|"; distance: 4; within: 7; content: "|33|"; distance: 2; within: 3; sid: 2009000730; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1334 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E829000000EB03|"; distance: 2; within: 9; content: "|EB02|"; distance: 3; within: 5; content: "|8B54240CEB03|"; distance: 2; within: 8; content: "|8382B800000025EB02|"; distance: 3; within: 12; content: "|33C0EB02|"; distance: 2; within: 6; content: "|C3EB03|"; distance: 2; within: 5; content: "|EB01|"; distance: 3; within: 5; content: "|6467FF360000EB02|"; distance: 1; within: 9; content: "|646789260000EB02|"; distance: 2; within: 10; content: "|EB04|"; distance: 2; within: 4; content: "|50EB02|"; distance: 4; within: 7; content: "|33C0EB01|"; distance: 2; within: 6; content: "|8B00EB04|"; distance: 1; within: 5; content: "|C3EB03|"; distance: 4; within: 7; content: "|E9FA000000EB02|"; distance: 3; within: 10; content: "|E8D5FFFFFFEB02|"; distance: 2; within: 9; content: "|EB03|"; distance: 2; within: 4; content: "|58EB02|"; distance: 3; within: 6; content: "|EB03|"; distance: 2; within: 4; content: "|64678F060000EB03|"; distance: 3; within: 11; sid: 2009000731; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1337 (20070623) - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E827000000EB03|"; distance: 2; within: 9; content: "|EB01|"; distance: 3; within: 5; content: "|8B54240CEB03|"; distance: 1; within: 7; content: "|8382B800000023EB03|"; distance: 3; within: 12; content: "|33C0EB02|"; distance: 3; within: 7; content: "|C3EB01|"; distance: 2; within: 5; content: "|EB03|"; distance: 1; within: 3; content: "|6467FF360000EB04|"; distance: 3; within: 11; content: "|646789260000EB01|"; distance: 4; within: 12; content: "|EB01|"; distance: 1; within: 3; content: "|50EB02|"; distance: 1; within: 4; content: "|33C0EB01|"; distance: 2; within: 6; content: "|8B00EB04|"; distance: 1; within: 5; content: "|C3EB02|"; distance: 4; within: 7; content: "|E9FA000000EB04|"; distance: 2; within: 9; content: "|E8D5FFFFFFEB01|"; distance: 4; within: 11; content: "|EB01|"; distance: 1; within: 3; content: "|58EB04|"; distance: 1; within: 4; content: "|EB01|"; distance: 4; within: 6; content: "|64678F060000EB02|"; distance: 1; within: 9; content: "|83C404EB01|"; distance: 2; within: 7; content: "|E8F7260000|"; distance: 1; within: 6; sid: 2009000732; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1337 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E82C000000EB04|"; distance: 2; within: 9; content: "|EB04|"; distance: 4; within: 6; content: "|8B54240CEB02|"; distance: 4; within: 10; content: "|8382B800000027EB04|"; distance: 2; within: 11; content: "|33C0EB02|"; distance: 4; within: 8; content: "|C3EB02|"; distance: 2; within: 5; content: "|EB03|"; distance: 2; within: 4; content: "|6467FF360000EB04|"; distance: 3; within: 11; content: "|646789260000EB03|"; distance: 4; within: 12; content: "|EB01|"; distance: 3; within: 5; content: "|50EB02|"; distance: 1; within: 4; content: "|33C0EB02|"; distance: 2; within: 6; content: "|8B00EB04|"; distance: 2; within: 6; content: "|C3EB02|"; distance: 4; within: 7; content: "|E9FA000000EB04|"; distance: 2; within: 9; content: "|E8D5FFFFFFEB02|"; distance: 4; within: 11; content: "|EB04|"; distance: 2; within: 4; content: "|58EB04|"; distance: 4; within: 7; content: "|EB03|"; distance: 4; within: 6; content: "|64678F060000EB01|"; distance: 3; within: 11; content: "|83C404EB03|"; distance: 1; within: 6; content: "|E823270000|"; distance: 3; within: 8; sid: 2009000733; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1338 - Obsidium Software]"; flow: established,to_client; content: "|EB04|"; content: "|E828000000EB01|"; distance: 4; within: 11; content: "|EB01|"; distance: 1; within: 3; content: "|8B54240CEB04|"; distance: 1; within: 7; content: "|8382B8000000|"; distance: 4; within: 10; content: "|EB04|"; distance: 1; within: 3; content: "|33C0EB03|"; distance: 4; within: 8; content: "|C3EB01|"; distance: 3; within: 6; content: "|EB01|"; distance: 1; within: 3; content: "|6467FF360000EB03|"; distance: 1; within: 9; content: "|646789260000EB02|"; distance: 3; within: 11; content: "|EB01|"; distance: 2; within: 4; content: "|50EB04|"; distance: 1; within: 4; content: "|33C0EB02|"; distance: 4; within: 8; content: "|8B00EB03|"; distance: 2; within: 6; content: "|C3EB03|"; distance: 3; within: 6; content: "|E9FA000000EB03|"; distance: 3; within: 10; content: "|E8D5FFFFFFEB02|"; distance: 3; within: 10; content: "|EB04|"; distance: 2; within: 4; content: "|58EB04|"; distance: 4; within: 7; content: "|EB02|"; distance: 4; within: 6; content: "|64678F060000EB04|"; distance: 2; within: 10; content: "|83C404EB04|"; distance: 4; within: 9; content: "|E857270000|"; distance: 4; within: 9; sid: 2009000734; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1339 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E829000000EB03|"; distance: 2; within: 9; content: "|EB01|"; distance: 3; within: 5; content: "|8B54240CEB04|"; distance: 1; within: 7; content: "|8382B800000028EB02|"; distance: 4; within: 13; content: "|33C0EB02|"; distance: 2; within: 6; content: "|C3EB03|"; distance: 2; within: 5; content: "|EB04|"; distance: 3; within: 5; content: "|6467FF360000EB03|"; distance: 4; within: 12; content: "|646789260000EB01|"; distance: 3; within: 11; content: "|EB01|"; distance: 1; within: 3; content: "|50EB03|"; distance: 1; within: 4; content: "|33C0EB03|"; distance: 3; within: 7; content: "|8B00EB04|"; distance: 3; within: 7; content: "|C3EB04|"; distance: 4; within: 7; content: "|E9FA000000EB03|"; distance: 4; within: 11; content: "|E8D5FFFFFFEB02|"; distance: 3; within: 10; content: "|EB04|"; distance: 2; within: 4; content: "|58EB03|"; distance: 4; within: 7; content: "|EB04|"; distance: 3; within: 5; content: "|64678F060000EB03|"; distance: 4; within: 12; content: "|83C404EB04|"; distance: 3; within: 8; content: "|E8CF270000|"; distance: 4; within: 9; sid: 2009000735; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium 1341 - Obsidium Software]"; flow: established,to_client; content: "|EB01|"; content: "|E82A000000EB04|"; distance: 1; within: 8; content: "|EB02|"; distance: 4; within: 6; content: "|8B54240CEB03|"; distance: 2; within: 8; content: "|8382B800000021EB02|"; distance: 3; within: 12; content: "|33C0EB03|"; distance: 2; within: 6; content: "|C3EB02|"; distance: 3; within: 6; content: "|EB01|"; distance: 2; within: 4; content: "|6467FF360000EB01|"; distance: 1; within: 9; content: "|646789260000EB02|"; distance: 1; within: 9; content: "|EB03|"; distance: 2; within: 4; content: "|50EB04|"; distance: 3; within: 6; content: "|33C0EB02|"; distance: 4; within: 8; content: "|8B00EB04|"; distance: 2; within: 6; content: "|C3EB02|"; distance: 4; within: 7; content: "|E9FA000000EB02|"; distance: 2; within: 9; content: "|E8D5FFFFFFEB01|"; distance: 2; within: 9; content: "|EB01|"; distance: 1; within: 3; content: "|58EB03|"; distance: 1; within: 4; content: "|EB04|"; distance: 3; within: 5; content: "|64678F060000EB04|"; distance: 4; within: 12; content: "|83C404EB02|"; distance: 4; within: 9; content: "|E8C3270000|"; distance: 2; within: 7; sid: 2009000736; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium v1111]"; flow: established,to_client; content: "|EB02|"; content: "|E8E71C0000|"; distance: 2; within: 7; sid: 2009000737; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V12 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E8771E0000|"; distance: 2; within: 7; sid: 2009000738; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium v1250 - Obsidium Software]"; flow: established,to_client; content: "|E80E0000008B54240C8382B80000000D33C0C36467FF3600006467892600005033C08B00C3E9FA000000E8D5FFFFFF5864678F06000083C404E82B130000|"; sid: 2009000739; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V1258 - Obsidium Software]"; flow: established,to_client; content: "|EB01|"; content: "|E8|"; distance: 1; within: 2; content: "|000000|"; distance: 1; within: 4; sid: 2009000740; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V1258-V133X - Obsidium Software]"; flow: established,to_client; content: "|EB01|"; content: "|E8|"; distance: 1; within: 2; content: "|000000EB02|"; distance: 1; within: 6; content: "|EB|"; distance: 2; within: 3; sid: 2009000741; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V12X - Obsidium Software]"; flow: established,to_client; content: "|E80E00000033C08B54240C8382B80000000DC36467FF3600006467892600005033C08B00C3E9FA000000E8D5FFFFFF5864678F06000083C404E82B130000|"; sid: 2009000742; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V125 - Obsidium Software]"; flow: established,to_client; content: "|E80E0000008B54240C8382B80000000D33C0C3|"; sid: 2009000743; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium v1300 - Obsidium Software]"; flow: established,to_client; content: "|EB04258034CAE829000000EB02C181EB013A8B54240CEB0232928382B800000022EB02F27F33C0EB04657E1479C3EB0405AD7F45EB0405650BE86467FF360000EB040DF6A87F646789260000EB048D68C7FBEB016B|"; sid: 2009000744; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium v1300 - Obsidium Software]"; flow: established,to_client; content: "|EB04258034CAE829000000EB02C181EB013A8B54240CEB0232928382B800000022EB02F27F33C0EB04657E1479C3EB0405AD7F45EB0405650BE86467FF360000EB040DF6A87F646789260000EB048D68C7FBEB016B50EB038A0B9333C0EB0228B98B00EB0104C3EB0465B3540AE9FA000000EB01A2E8D5FFFFFFEB022B49EB037C3E7658EB04B8949256EB017264678F060000EB02237283C404EB02A9CBE847260000|"; sid: 2009000745; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V1300 - Obsidium Software]"; flow: established,to_client; content: "|EB04|"; content: "|E829000000|"; distance: 4; within: 9; sid: 2009000746; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V1300 - Obsidium Software]"; flow: established,to_client; content: "|EB04|"; content: "|E8|"; distance: 4; within: 5; content: "|000000|"; distance: 1; within: 4; sid: 2009000747; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium v13037 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E826000000EB03|"; distance: 2; within: 9; content: "|EB01|"; distance: 3; within: 5; content: "|8B54240CEB04|"; distance: 1; within: 7; content: "|8382B800000026EB01|"; distance: 4; within: 13; content: "|33C0EB02|"; distance: 1; within: 5; content: "|C3EB01|"; distance: 2; within: 5; content: "|EB04|"; distance: 1; within: 3; content: "|6467FF360000EB01|"; distance: 4; within: 12; content: "|646789260000EB01|"; distance: 1; within: 9; content: "|EB03|"; distance: 1; within: 3; content: "|50EB03|"; distance: 3; within: 6; content: "|33C0EB03|"; distance: 3; within: 7; content: "|8B00EB04|"; distance: 3; within: 7; content: "|C3EB03|"; distance: 4; within: 7; content: "|E9FA000000EB03|"; distance: 3; within: 10; content: "|E8D5FFFFFFEB04|"; distance: 3; within: 10; content: "|EB01|"; distance: 4; within: 6; content: "|58EB02|"; distance: 1; within: 4; content: "|EB03|"; distance: 2; within: 4; content: "|64678F060000EB01|"; distance: 3; within: 11; content: "|83C404EB03|"; distance: 1; within: 6; content: "|E82327|"; distance: 3; within: 6; sid: 2009000748; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium v1304 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E825000000EB04|"; distance: 2; within: 9; content: "|EB01|"; distance: 4; within: 6; content: "|8B54240CEB01|"; distance: 1; within: 7; content: "|8382B800000023EB01|"; distance: 1; within: 10; content: "|33C0EB02|"; distance: 1; within: 5; content: "|C3EB02|"; distance: 2; within: 5; content: "|EB04|"; distance: 2; within: 4; content: "|6467FF360000EB03|"; distance: 4; within: 12; content: "|646789260000EB02|"; distance: 3; within: 11; content: "|EB01|"; distance: 2; within: 4; content: "|50EB01|"; distance: 1; within: 4; content: "|33C0EB01|"; distance: 1; within: 5; sid: 2009000749; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium v1304 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E825000000EB04|"; distance: 2; within: 9; content: "|EB01|"; distance: 4; within: 6; content: "|8B54240CEB01|"; distance: 1; within: 7; content: "|8382B800000023EB01|"; distance: 1; within: 10; content: "|33C0EB02|"; distance: 1; within: 5; content: "|C3EB02|"; distance: 2; within: 5; content: "|EB04|"; distance: 2; within: 4; content: "|6467FF360000EB03|"; distance: 4; within: 12; content: "|646789260000EB02|"; distance: 3; within: 11; content: "|EB01|"; distance: 2; within: 4; content: "|50EB01|"; distance: 1; within: 4; content: "|33C0EB01|"; distance: 1; within: 5; content: "|8B00EB01|"; distance: 1; within: 5; content: "|C3EB02|"; distance: 1; within: 4; content: "|E9FA000000EB02|"; distance: 2; within: 9; content: "|E8D5FFFFFFEB03|"; distance: 2; within: 9; content: "|EB04|"; distance: 3; within: 5; content: "|58EB02|"; distance: 4; within: 7; content: "|EB04|"; distance: 2; within: 4; content: "|64678F060000EB03|"; distance: 4; within: 12; content: "|83C404EB01|"; distance: 3; within: 8; content: "|E83B260000|"; distance: 1; within: 6; sid: 2009000750; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V1304 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E8|"; distance: 2; within: 3; content: "|000000|"; distance: 1; within: 4; sid: 2009000751; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V130X - Obsidium Software]"; flow: established,to_client; content: "|EB03|"; content: "|E82E000000EB04|"; distance: 3; within: 10; content: "|EB04|"; distance: 4; within: 6; content: "|8B|"; distance: 4; within: 5; content: "|EB04|"; distance: 3; within: 5; content: "|83|"; distance: 4; within: 5; content: "|EB01|"; distance: 6; within: 8; content: "|33C0EB04|"; distance: 1; within: 5; content: "|C3|"; distance: 4; within: 5; sid: 2009000752; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V1342 - Obsidium Software]"; flow: established,to_client; content: "|EB02|"; content: "|E826000000EB03|"; distance: 2; within: 9; content: "|EB01|"; distance: 3; within: 5; content: "|8B54240CEB02|"; distance: 1; within: 7; content: "|8382B800000024EB03|"; distance: 2; within: 11; content: "|33C0EB01|"; distance: 3; within: 7; content: "|C3EB02|"; distance: 1; within: 4; content: "|EB02|"; distance: 2; within: 4; content: "|6467FF360000EB03|"; distance: 2; within: 10; content: "|646789260000EB03|"; distance: 3; within: 11; content: "|EB03|"; distance: 3; within: 5; content: "|50EB04|"; distance: 3; within: 6; content: "|33C0EB03|"; distance: 4; within: 8; content: "|8B00EB03|"; distance: 3; within: 7; content: "|C3EB03|"; distance: 3; within: 6; content: "|E9FA000000EB03|"; distance: 3; within: 10; content: "|E8D5FFFFFFEB01|"; distance: 3; within: 10; content: "|EB03|"; distance: 1; within: 3; content: "|58EB04|"; distance: 3; within: 6; content: "|EB04|"; distance: 4; within: 6; content: "|64678F060000EB04|"; distance: 4; within: 12; content: "|83C404EB01|"; distance: 4; within: 9; content: "|E8C3270000|"; distance: 1; within: 6; sid: 2009000753; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsidium V1350 - Obsidium Software]"; flow: established,to_client; content: "|EB03|"; content: "|E8|"; distance: 3; within: 4; content: "|EB02|"; distance: 4; within: 6; content: "|EB04|"; distance: 2; within: 4; content: "|8B54240CEB04|"; distance: 4; within: 10; content: "|8382B800000020EB03|"; distance: 4; within: 13; content: "|33C0EB01|"; distance: 3; within: 7; content: "|C3EB02|"; distance: 1; within: 4; content: "|EB03|"; distance: 2; within: 4; content: "|6467FF360000EB03|"; distance: 3; within: 11; content: "|646789260000EB01|"; distance: 3; within: 11; content: "|EB04|"; distance: 1; within: 3; content: "|50EB04|"; distance: 4; within: 7; content: "|33C0EB04|"; distance: 4; within: 8; content: "|8B00EB03|"; distance: 4; within: 8; content: "|C3EB02|"; distance: 3; within: 6; content: "|E9FA000000EB01|"; distance: 2; within: 9; content: "|E8|"; distance: 1; within: 2; content: "|EB01|"; distance: 4; within: 6; content: "|EB02|"; distance: 1; within: 3; content: "|58EB04|"; distance: 2; within: 5; content: "|EB02|"; distance: 4; within: 6; content: "|64678F060000EB02|"; distance: 2; within: 10; content: "|83C404EB01|"; distance: 2; within: 7; content: "|E8|"; distance: 1; within: 2; sid: 2009000754; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Obsiduim 1304 - Obsiduim Software]"; flow: established,to_client; content: "|EB02|"; content: "|E825000000EB04|"; distance: 2; within: 9; content: "|EB01|"; distance: 4; within: 6; content: "|8B54240CEB01|"; distance: 1; within: 7; content: "|8382B800000023EB01|"; distance: 1; within: 10; content: "|33C0EB02|"; distance: 1; within: 5; content: "|C3EB02|"; distance: 2; within: 5; content: "|EB04|"; distance: 2; within: 4; content: "|6467FF360000EB03|"; distance: 4; within: 12; content: "|64|"; distance: 3; within: 4; sid: 2009000755; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ORiEN v211 (DEMO)]"; flow: established,to_client; content: "|E95D010000CED1CECE0D0A2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D0D0A2D204F5269454E2065786563757461626C652066696C65732070726F|"; sid: 2009000756; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ORiEN v211 - 212 - Fisun Alexander]"; flow: established,to_client; content: "|E95D010000CED1CE|"; content: "|0D0A2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D2D0D0A2D204F5269454E2065786563757461626C652066696C65732070726F|"; distance: 1; within: 77; sid: 2009000757; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ORiEN V212 - Fisun AV]"; flow: established,to_client; content: "|E95D010000CED1CECD0D|"; sid: 2009000758; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pack Master v10]"; flow: established,to_client; content: "|60E801000000E883C404E801000000E95D81EDD3224000E804020000E8EB08EB02CD20FF24249A66BE4746|"; sid: 2009000759; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pack Master v10]"; flow: established,to_client; content: "|60E801|"; content: "|E883C404E801|"; distance: 3; within: 9; content: "|E95D81EDD32240|"; distance: 3; within: 10; content: "|E80402|"; distance: 1; within: 4; content: "|E8EB08EB02CD20FF24249A66BE4746|"; distance: 2; within: 17; sid: 2009000760; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Packanoid - Arkanoid]"; flow: established,to_client; content: "|BF00104000BE|"; content: "|00E89D000000B8|"; distance: 3; within: 10; sid: 2009000761; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Packanoid 10 - ackanoid]"; flow: established,to_client; content: "|BF00|"; content: "|4000BE|"; distance: 1; within: 4; content: "|00E89D000000B8|"; distance: 3; within: 10; content: "|008B308B7804BB|"; distance: 3; within: 10; content: "|008B430491E31F51FFD656968B138B0291E30D525156FFD75A890283C204EBEE83C3085EEBDBB9|"; distance: 3; within: 42; content: "|0000BE00|"; distance: 2; within: 6; content: "|00EB0100BF|"; distance: 2; within: 7; content: "|00|"; distance: 3; within: 4; sid: 2009000762; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Packanoid v1 - Arkanoid]"; flow: established,to_client; content: "|BF|"; content: "|BE|"; distance: 4; within: 5; content: "|E89D000000B8|"; distance: 4; within: 10; content: "|8B308B7804BB|"; distance: 4; within: 10; content: "|8B430491E31F51FFD656968B138B0291E30D525156FFD75A890283C204EBEE83C308|"; distance: 4; within: 38; sid: 2009000763; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Packed with PKLITE v150 with CRC check (1)]"; flow: established,to_client; content: "|1FB409BA|"; content: "|CD21B8|"; distance: 2; within: 5; content: "|CD21|"; distance: 2; within: 4; sid: 2009000764; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Packman 0001 - bubba]"; flow: established,to_client; content: "|60E800000000588DA8|"; content: "|FEFFFF8D98|"; distance: 1; within: 6; content: "|FF8D|"; distance: 3; within: 5; content: "|010000|"; distance: 2; within: 5; sid: 2009000765; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Packman v0001]"; flow: established,to_client; content: "|60E800000000588DA8|"; content: "|FFFF8D98|"; distance: 2; within: 6; content: "|FF8D|"; distance: 3; within: 5; content: "|010000|"; distance: 2; within: 5; content: "|0000|"; distance: 28; within: 30; sid: 2009000766; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Packman V0001 - Bubbasoft]"; flow: established,to_client; content: "|60E800000000588D|"; content: "|8D|"; distance: 5; within: 6; content: "|8D|"; distance: 5; within: 6; content: "|8D|"; distance: 5; within: 6; content: "|48|"; distance: 2; within: 3; sid: 2009000767; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Packman V10 - Brandon LaCombe]"; flow: established,to_client; content: "|60E8000000005B8D5BC6011B8B138D73146A08590116AD4975FA|"; sid: 2009000768; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Packman v10 - Brandon LaCombe]"; flow: established,to_client; content: "|60E8000000005B8D5BC6011B8B138D73146A08590116AD4975FA8BE8C606E98B430C8946016A046800100000FF730851FF55088B|"; sid: 2009000769; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PACKWIN v101p]"; flow: established,to_client; content: "|8CC0FA8ED0BC|"; content: "|FB060E1F2E|"; distance: 2; within: 7; content: "|8BF14E8BFE8CDB2E|"; distance: 4; within: 12; content: "|8EC3FDF3A453B8|"; distance: 4; within: 11; content: "|50CB|"; distance: 2; within: 4; sid: 2009000770; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PAK-SFX Archive]"; flow: established,to_client; content: "|558BEC83|"; content: "|A1|"; distance: 2; within: 3; content: "|2E|"; distance: 2; within: 3; content: "|2E|"; distance: 3; within: 4; content: "|8CD78EC78D|"; distance: 5; within: 10; content: "|BE|"; distance: 2; within: 3; content: "|FCAC3C0D|"; distance: 2; within: 6; sid: 2009000771; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PassEXE v20]"; flow: established,to_client; content: "|061E0E0E071FBE|"; content: "|B9|"; distance: 2; within: 3; content: "|871481|"; distance: 2; within: 5; content: "|EB|"; distance: 3; within: 4; content: "|C7|"; distance: 1; within: 2; content: "|840087|"; distance: 3; within: 6; content: "|FB1F584A|"; distance: 3; within: 7; sid: 2009000772; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PassLock 2000 v10 (Eng) - Moonlight-Software]"; flow: established,to_client; content: "|558BEC535657BB00504000662EF7053420400004000F8598000000E81F010000C74360010000008D83E401000050FF15F061400083EC44C7042444000000C744242C0000000054FF15E8614000B80A000000F74424|"; sid: 2009000773; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Password Protector (c) MiniSoft 1992]"; flow: established,to_client; content: "|060E0E071FE800005B83EB08BA270103D3E83C02BAEA|"; sid: 2009000774; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Password protector my SMT]"; flow: established,to_client; content: "|E8|"; content: "|5D8BFD81|"; distance: 4; within: 8; content: "|81|"; distance: 5; within: 6; content: "|83|"; distance: 5; within: 6; content: "|89|"; distance: 2; within: 3; content: "|8D|"; distance: 5; within: 6; content: "|8D|"; distance: 5; within: 6; content: "|4680|"; distance: 5; within: 7; content: "|74|"; distance: 2; within: 3; sid: 2009000775; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PC Guard for Win32 v500 - SofProBlagoje Ceklic]"; flow: established,to_client; content: "|FC5550E8000000005D60E80300000083EB0EEB010C58EB013540EB0136FFE00B61B8|"; content: "|00EB01E360E803000000D2EB0B58EB014840EB0135FFE0E7612BE89CEB01D59DEB010B5860E80300000083EB0EEB010C|"; distance: 3; within: 51; sid: 2009000776; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PC PE Encryptor Alpha preview]"; flow: established,to_client; content: "|535152565755E8000000005D8BCD81ED333040|"; content: "|2B8DEE32400083E90B898DF23240|"; distance: 1; within: 15; content: "|80BDD13240|"; distance: 1; within: 6; content: "|010F84|"; distance: 1; within: 4; sid: 2009000777; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PC Shrinker v020]"; flow: established,to_client; content: "|E8E801|"; content: "|6001ADB32740|"; distance: 2; within: 8; content: "|68|"; distance: 1; within: 2; sid: 2009000778; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PC Shrinker v071]"; flow: established,to_client; content: "|9C60BD|"; content: "|01AD543A40|"; distance: 4; within: 9; content: "|FFB5503A40|"; distance: 1; within: 6; content: "|6A40FF95883A40|"; distance: 1; within: 8; content: "|50502D|"; distance: 1; within: 4; content: "|8985|"; distance: 4; within: 6; sid: 2009000779; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PC-Guard v303d v305d]"; flow: established,to_client; content: "|5550E8|"; content: "|5DEB01E360E803|"; distance: 4; within: 11; content: "|D2EB0B58EB014840EB01|"; distance: 3; within: 13; sid: 2009000780; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PC-Guard v405d v410d v415d]"; flow: established,to_client; content: "|FC5550E8000000005DEB01|"; sid: 2009000781; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PC-Guard v500d]"; flow: established,to_client; content: "|FC5550E8000000005D60E80300000083EB0EEB010C58EB013540EB0136FFE00B61B830D24000EB01E360E803000000D2EB0B58EB014840EB0135FFE0E7612BE89CEB01D59DEB010B5860E80300000083EB0EEB010C|"; sid: 2009000782; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PCPEC alpha - preview]"; flow: established,to_client; content: "|535152565755E8000000005D8BCD81ED33304000|"; sid: 2009000783; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PCPEC [alpha]]"; flow: established,to_client; content: "|535152565755E8|"; content: "|5D8BCD81|"; distance: 4; within: 8; content: "|2B|"; distance: 5; within: 6; content: "|83|"; distance: 5; within: 6; sid: 2009000784; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PCrypt v351]"; flow: established,to_client; content: "|504352595054FF76332E353100E9|"; sid: 2009000785; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PcShare v40 - ]"; flow: established,to_client; content: "|558BEC6AFF689034400068B628400064A1|"; sid: 2009000786; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PCShrink 071 beta]"; flow: established,to_client; content: "|01AD543A4000FFB5503A40006A40FF95883A4000|"; sid: 2009000787; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PCShrink v040b]"; flow: established,to_client; content: "|9C60BD|"; content: "|01|"; distance: 4; within: 5; content: "|FF|"; distance: 5; within: 6; content: "|6A|"; distance: 5; within: 6; content: "|FF|"; distance: 1; within: 2; content: "|50502D|"; distance: 5; within: 8; sid: 2009000788; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Crypt 15 - BitShape Software]"; flow: established,to_client; content: "|60E8000000005D81ED55204000B97B0900008DBD9D2040008BF7AC|"; content: "|AAE2CC|"; distance: 48; within: 51; sid: 2009000789; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Crypt v100v101]"; flow: established,to_client; content: "|E8|"; content: "|5B83EB05EB04524E4421EB02CD20EB|"; distance: 4; within: 19; sid: 2009000790; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Crypt v102]"; flow: established,to_client; content: "|E8|"; content: "|5B83EB05EB04524E44|"; distance: 4; within: 13; sid: 2009000791; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Crypt32 (Console v10 v101 v102)]"; flow: established,to_client; content: "|E8000000005B83EB05EB04524E4421EB02CD20EB|"; sid: 2009000792; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Crypt32 v102]"; flow: established,to_client; content: "|E8000000005B83|"; content: "|EB|"; distance: 2; within: 3; content: "|524E4421|"; distance: 1; within: 5; sid: 2009000793; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Diminisher v01]"; flow: established,to_client; content: "|535152565755E8000000005D8BD581EDA23040002B959133400081EA0B00000089959A33400080BD993340000074|"; sid: 2009000794; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Diminisher v01]"; flow: established,to_client; content: "|5D8BD581EDA23040|"; content: "|2B95913340|"; distance: 1; within: 6; content: "|81EA0B|"; distance: 1; within: 4; content: "|89959A3340|"; distance: 3; within: 8; content: "|80BD99|"; distance: 1; within: 4; sid: 2009000795; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Diminisher V01 - Teraphy]"; flow: established,to_client; content: "|535152565755E800000000|"; sid: 2009000796; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Diminisher v01 - Teraphy]"; flow: established,to_client; content: "|535152565755E8000000005D8BD581EDA23040002B959133400081EA0B00000089959A33400080BD99334000007450E8020100008BFD8D9D9A3340008B1B8D87|"; sid: 2009000797; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Encrypt 10 - Liwuyue]"; flow: established,to_client; content: "|558BEC83C4D05356578D75FC8B442430250000FFFF81384D5A900074072D00100000EBF18945FCE8C8FFFFFF2D0F0500008945F48B068B403C03068B407803068BC88B512003168B5924031E895DF08B591C031E895DEC8B41188BC84985C9725A4133C08BD8C1E30203DA8B3B033E813F4765745075408BDF83C304813B726F634175338BDF83C308813B64647265752683C70C66813F7373|"; sid: 2009000798; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Intro v10]"; flow: established,to_client; content: "|8B04249C60E8|"; content: "|5D81ED0A4540|"; distance: 4; within: 10; content: "|80BD674440|"; distance: 1; within: 6; content: "|0F8548|"; distance: 2; within: 5; sid: 2009000799; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Lock NT v201]"; flow: established,to_client; content: "|EB03CD20EBEB01EB1EEB01EBEB02CD209CEB03CD|"; sid: 2009000800; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Lock NT v202c]"; flow: established,to_client; content: "|EB02C7851EEB03CD20EBEB01EB9CEB01EBEB02CD|"; sid: 2009000801; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Lock NT v203]"; flow: established,to_client; content: "|EB02C7851EEB03CD20C79CEB0269B160EB02EB01|"; sid: 2009000802; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Lock NT v204]"; flow: established,to_client; content: "|EB|"; content: "|CD|"; distance: 1; within: 2; content: "|CD|"; distance: 5; within: 6; content: "|EB|"; distance: 5; within: 6; content: "|EB|"; distance: 1; within: 2; content: "|EB|"; distance: 1; within: 2; content: "|EB|"; distance: 1; within: 2; content: "|CD|"; distance: 1; within: 2; content: "|E8|"; distance: 5; within: 6; content: "|E9|"; distance: 4; within: 5; content: "|50C3|"; distance: 4; within: 6; sid: 2009000803; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Lock v106]"; flow: established,to_client; content: "|0000000000000000|"; content: "|000000004C6F61644C6962726172794100005669727475616C416C6C6F63004B45|"; distance: 8; within: 41; sid: 2009000804; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Ninja v10 - DzA kRAker TNT]"; flow: established,to_client; content: "|BE5B2A4000BF35120000E8401200003D2283A3C60F85670F000090909090909090909090909090909090909090909090|"; sid: 2009000805; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Pack v099]"; flow: established,to_client; content: "|60E8|"; content: "|5D83ED0680BDE004|"; distance: 4; within: 12; content: "|010F84F2|"; distance: 2; within: 6; sid: 2009000806; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Packer]"; flow: established,to_client; content: "|FC8B35700140|"; content: "|83EE406A4068|"; distance: 1; within: 7; content: "|3010|"; distance: 1; within: 3; sid: 2009000807; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Password v02 SMTSMF]"; flow: established,to_client; content: "|E804|"; content: "|8BEC5DC333C05D8BFD81ED332640|"; distance: 3; within: 17; content: "|81EF|"; distance: 1; within: 3; content: "|83EF0589AD882740|"; distance: 4; within: 12; content: "|8D9D072940|"; distance: 1; within: 6; content: "|8DB5622840|"; distance: 1; within: 6; content: "|4680|"; distance: 1; within: 3; sid: 2009000808; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Protect v09]"; flow: established,to_client; content: "|525155576467A1300085C0780DE8|"; content: "|5883C007C6|"; distance: 4; within: 9; content: "|C3|"; distance: 1; within: 2; sid: 2009000809; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Protector 093 -- CRYPToCRACk]"; flow: established,to_client; content: "|5B81E300FFFFFF66813B4D5A75338BF303733C813E5045000075260FB746188BC869C0AD0B0000F7E02DAB5D414B69C9DEC0000003C1750983EC040F85DD0000|"; sid: 2009000810; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE Spin v0b]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C2472C846000BE4749E7501C7817304D77AF72F817319770043B7F6C36BB70000F9FFE3C9C20800A3687201FF5D33C941E226E801000000EA5A33C9|"; sid: 2009000811; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-Armor 046 - China Cracking Group]"; flow: established,to_client; content: "|E8AA0000002D|"; content: "|0000000000000000003D|"; distance: 2; within: 12; content: "|002D|"; distance: 2; within: 4; content: "|0000000000000000000000000000000000000000004B|"; distance: 2; within: 24; content: "|005C|"; distance: 2; within: 4; content: "|006F|"; distance: 2; within: 4; content: "|00000000004B45524E454C33322E646C6C0000000047657450726F6341|"; distance: 2; within: 31; sid: 2009000812; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-Armor 046 - Hying]"; flow: established,to_client; content: "|E8AA0000002D|"; content: "|0000000000000000003D|"; distance: 2; within: 12; content: "|002D|"; distance: 2; within: 4; content: "|0000000000000000000000000000000000000000004B|"; distance: 2; within: 24; content: "|005C|"; distance: 2; within: 4; content: "|006F|"; distance: 2; within: 4; content: "|00000000004B45524E454C33322E646C6C0000000047657450726F63416464726573730000004765744D6F64756C6548616E646C65410000004C6F61644C69627261727941|"; distance: 2; within: 71; sid: 2009000813; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-Armor 046 - Hying]"; flow: established,to_client; content: "|E8AA0000002D|"; content: "|00000000000000003D|"; distance: 3; within: 12; sid: 2009000814; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-Armor 049 - Hying]"; flow: established,to_client; content: "|5652515355E81501000032|"; content: "|0000000000|"; distance: 2; within: 7; sid: 2009000815; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-Armor V07X - hying]"; flow: established,to_client; content: "|60E8000000005D81ED|"; content: "|8DB5|"; distance: 4; within: 6; content: "|555681C5|"; distance: 4; within: 8; content: "|55C3|"; distance: 4; within: 6; sid: 2009000816; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-Crypt 102]"; flow: established,to_client; content: "|E8000000005B83EB05EB04524E442185C07302F7|"; sid: 2009000817; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-Crypter]"; flow: established,to_client; content: "|60E8000000005DEB26|"; sid: 2009000818; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-PACK 099]"; flow: established,to_client; content: "|60E8000000005D83ED0680BDE0040000010F84F2|"; sid: 2009000819; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-PACK v10 by ANAKiN 1998 ()]"; flow: established,to_client; content: "|74|"; content: "|E9|"; distance: 1; within: 2; content: "|00000000|"; distance: 4; within: 8; sid: 2009000820; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-PROTECT 09]"; flow: established,to_client; content: "|E9CF0000000D0A0D0AC4C4C4C4C4C4C4C4C4C4C4|"; sid: 2009000821; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE-SHiELD 02]"; flow: established,to_client; content: "|60E800000000414E414B494E5D83ED06EB02EA04|"; sid: 2009000822; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pe123 v2006412]"; flow: established,to_client; content: "|8BC0609CE801000000C353E87200000050E81C0300008BD8FFD35BC38BC0E8000000005883C005C38BC0558BEC608B4D108B7D0C8B7508F3A4615DC20C00E8000000005883E805C38BC0E8000000005883C005C38B|"; sid: 2009000823; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pe123 v200644]"; flow: established,to_client; content: "|8BC0EB013460EB012A9CEB02EAC8E80F000000EB033D2323EB014AEB015BC38D400053EB016CEB017EEB018FE81501000050E867040000EB019A8BD8FFD35BC38BC0E8000000005883C005C38BC0558BEC608B4D10|"; sid: 2009000824; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEBundle v02 - v20x]"; flow: established,to_client; content: "|9C60E802|"; content: "|33C08BC483C004938BE38B5BFC81EB|"; distance: 3; within: 18; content: "|40|"; distance: 2; within: 3; content: "|87DD6A0468|"; distance: 1; within: 6; content: "|10|"; distance: 1; within: 2; content: "|68|"; distance: 2; within: 3; content: "|02|"; distance: 1; within: 2; content: "|6A|"; distance: 2; within: 3; content: "|FF95|"; distance: 1; within: 3; sid: 2009000825; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEBundle v20b5 - v23]"; flow: established,to_client; content: "|9C60E802|"; content: "|33C08BC483C004938BE38B5BFC81EB|"; distance: 3; within: 18; content: "|40|"; distance: 2; within: 3; content: "|87DD01AD|"; distance: 1; within: 5; content: "|01AD|"; distance: 4; within: 6; sid: 2009000826; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEBundle v244]"; flow: established,to_client; content: "|9C60E802|"; content: "|33C08BC483C004938BE38B5BFC81EB|"; distance: 3; within: 18; content: "|40|"; distance: 2; within: 3; content: "|87DD83BD|"; distance: 1; within: 5; sid: 2009000827; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PeCompact 253 DLL (Slim Loader) -- BitSum Technologies]"; flow: established,to_client; content: "|B8|"; content: "|5064FF35000000006489250000000033C08908504543320000080C0048E101565753558B5C241C85DB0F84AB21E8BD0EE6600D0B6B65726E6C3332|"; distance: 4; within: 63; sid: 2009000828; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact 2xx (Slim Loader) -- BitSum Technologies]"; flow: established,to_client; content: "|B8|"; content: "|5064FF35000000006489250000000033C089085045433200|"; distance: 4; within: 28; sid: 2009000829; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact 2xx -- BitSum Technologies]"; flow: established,to_client; content: "|B8|"; content: "|5064FF35000000006489250000000033C089085045436F6D706163743200|"; distance: 4; within: 34; sid: 2009000830; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v090]"; flow: established,to_client; content: "|EB0668|"; content: "|4000C39C60BD|"; distance: 2; within: 8; content: "|0000B902000000B0908DBD7A424000F3AA01ADD9434000FFB5|"; distance: 2; within: 27; sid: 2009000831; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v092]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60BD|"; distance: 4; within: 8; content: "|B902|"; distance: 4; within: 6; content: "|B0908DBDA54F40|"; distance: 3; within: 10; content: "|F3AA01AD045140|"; distance: 1; within: 8; content: "|FFB5|"; distance: 1; within: 3; sid: 2009000832; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v094]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E8|"; distance: 4; within: 8; content: "|5D555881ED|"; distance: 4; within: 9; content: "|2B85|"; distance: 4; within: 6; content: "|0185|"; distance: 4; within: 6; content: "|50B902|"; distance: 4; within: 7; sid: 2009000833; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v0971 - v0976]"; flow: established,to_client; content: "|EB0668C39C60E85D555B81ED8B85018566C785|"; sid: 2009000834; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v0977]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EBA08640|"; distance: 3; within: 21; content: "|87DD8B852A87|"; distance: 1; within: 7; sid: 2009000835; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v0978]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB248840|"; distance: 3; within: 21; content: "|87DD8B85A988|"; distance: 1; within: 7; sid: 2009000836; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v09781]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB498740|"; distance: 3; within: 21; content: "|87DD8B85CE87|"; distance: 1; within: 7; sid: 2009000837; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v09782]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EBD18440|"; distance: 3; within: 21; content: "|87DD8B855685|"; distance: 1; within: 7; sid: 2009000838; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v098]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EBD78440|"; distance: 3; within: 21; content: "|87DD8B855C85|"; distance: 1; within: 7; sid: 2009000839; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v099]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB2F8540|"; distance: 3; within: 21; content: "|87DD8B85B485|"; distance: 1; within: 7; sid: 2009000840; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v100]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EBC48440|"; distance: 3; within: 21; content: "|87DD8B854985|"; distance: 1; within: 7; sid: 2009000841; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v110b1]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB286340|"; distance: 3; within: 21; content: "|87DD8B85AD63|"; distance: 1; within: 7; sid: 2009000842; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v110b2]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F6040|"; distance: 3; within: 21; content: "|87DD8B859460|"; distance: 1; within: 7; sid: 2009000843; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v110b3]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F6040|"; distance: 3; within: 21; content: "|87DD8B85956040|"; distance: 1; within: 8; content: "|0185036040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|6040|"; distance: 1; within: 3; content: "|9090BB95|"; distance: 1; within: 5; sid: 2009000844; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v110b4]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F6040|"; distance: 3; within: 21; content: "|87DD8B85956040|"; distance: 1; within: 8; content: "|0185036040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|6040|"; distance: 1; within: 3; content: "|9090BB44|"; distance: 1; within: 5; sid: 2009000845; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v110b5]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F6040|"; distance: 3; within: 21; content: "|87DD8B85956040|"; distance: 1; within: 8; content: "|0185036040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|6040|"; distance: 1; within: 3; content: "|9090BB49|"; distance: 1; within: 5; sid: 2009000846; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v110b6]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F60|"; distance: 3; within: 20; content: "|0087DD8B859A6040|"; distance: 1; within: 9; content: "|0185036040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|6040|"; distance: 1; within: 3; content: "|90900185926040|"; distance: 1; within: 8; content: "|BBB7|"; distance: 1; within: 3; sid: 2009000847; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v110b7]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F6040|"; distance: 3; within: 21; content: "|87DD8B859A6040|"; distance: 1; within: 8; content: "|0185036040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|6040|"; distance: 1; within: 3; content: "|90900185926040|"; distance: 1; within: 8; content: "|BB14|"; distance: 1; within: 3; sid: 2009000848; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v120 - v1201]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F7040|"; distance: 3; within: 21; content: "|87DD8B859A7040|"; distance: 1; within: 8; sid: 2009000849; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v122]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F7040|"; distance: 3; within: 21; content: "|87DD8B85A67040|"; distance: 1; within: 8; content: "|0185037040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|7040|"; distance: 1; within: 3; content: "|909001859E7040|"; distance: 1; within: 8; content: "|BBF308|"; distance: 1; within: 4; sid: 2009000850; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v123b3 - v1241]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F7040|"; distance: 3; within: 21; content: "|87DD8B85A67040|"; distance: 1; within: 8; content: "|0185037040|"; distance: 1; within: 6; content: "|66C785704090|"; distance: 1; within: 7; content: "|9001859E7040BB|"; distance: 1; within: 8; content: "|D208|"; distance: 1; within: 3; sid: 2009000851; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v1242 - v1243]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F7040|"; distance: 3; within: 21; content: "|87DD8B85A67040|"; distance: 1; within: 8; content: "|0185037040|"; distance: 1; within: 6; content: "|66C785704090|"; distance: 1; within: 7; content: "|9001859E7040BB|"; distance: 1; within: 8; content: "|D209|"; distance: 1; within: 3; sid: 2009000852; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v125]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F7040|"; distance: 3; within: 21; content: "|87DD8B85A67040|"; distance: 1; within: 8; content: "|0185037040|"; distance: 1; within: 6; content: "|66C785704090|"; distance: 1; within: 7; content: "|9001859E7040BB|"; distance: 1; within: 8; content: "|F30D|"; distance: 1; within: 3; sid: 2009000853; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v126b1 - v126b2]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F7040|"; distance: 3; within: 21; content: "|87DD8B85A67040|"; distance: 1; within: 8; content: "|0185037040|"; distance: 1; within: 6; content: "|66C785704090|"; distance: 1; within: 7; content: "|9001859E7040BB|"; distance: 1; within: 8; content: "|050E|"; distance: 1; within: 3; sid: 2009000854; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v133]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F8040|"; distance: 3; within: 21; content: "|87DD8B85A68040|"; distance: 1; within: 8; content: "|0185038040|"; distance: 1; within: 6; content: "|66C785008040|"; distance: 1; within: 7; content: "|909001859E8040|"; distance: 1; within: 8; content: "|BBE80E|"; distance: 1; within: 4; sid: 2009000855; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v134 - v140b1]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F8040|"; distance: 3; within: 21; content: "|87DD8B85A68040|"; distance: 1; within: 8; content: "|0185038040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|0080|"; distance: 1; within: 3; content: "|40909001859E80|"; distance: 1; within: 8; content: "|40BBF810|"; distance: 1; within: 5; sid: 2009000856; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v140 - v145]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0FA040|"; distance: 3; within: 21; content: "|87DD8B85A6A040|"; distance: 1; within: 8; content: "|018503A040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|A040|"; distance: 1; within: 3; content: "|909001859EA040|"; distance: 1; within: 8; content: "|BBC311|"; distance: 1; within: 4; sid: 2009000857; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v140b2 - v140b4]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0FA040|"; distance: 3; within: 21; content: "|87DD8B85A6A040|"; distance: 1; within: 8; content: "|018503A040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|A040|"; distance: 1; within: 3; content: "|909001859EA040|"; distance: 1; within: 8; content: "|BB8611|"; distance: 1; within: 4; sid: 2009000858; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v140b5 - v140b6]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0FA040|"; distance: 3; within: 21; content: "|87DD8B85A6A040|"; distance: 1; within: 8; content: "|018503A040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|A040|"; distance: 1; within: 3; content: "|909001859EA040|"; distance: 1; within: 8; content: "|BB8A11|"; distance: 1; within: 4; sid: 2009000859; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v146]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0FA040|"; distance: 3; within: 21; content: "|87DD8B85A6A040|"; distance: 1; within: 8; content: "|018503A040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|A040|"; distance: 1; within: 3; content: "|909001859EA040|"; distance: 1; within: 8; content: "|BB6012|"; distance: 1; within: 4; sid: 2009000860; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v147 - v150]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0FA040|"; distance: 3; within: 21; content: "|87DD8B85A6A040|"; distance: 1; within: 8; content: "|018503A040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|A040|"; distance: 1; within: 3; content: "|909001859EA040|"; distance: 1; within: 8; content: "|BB5B12|"; distance: 1; within: 4; sid: 2009000861; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v14x]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81|"; distance: 3; within: 17; sid: 2009000862; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v155]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F8040|"; distance: 3; within: 21; content: "|87DD8B85A28040|"; distance: 1; within: 8; content: "|0185038040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|8040|"; distance: 1; within: 3; content: "|909001859E8040|"; distance: 1; within: 8; content: "|BB2D12|"; distance: 1; within: 4; sid: 2009000863; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v156]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB0F9040|"; distance: 3; within: 21; content: "|87DD8B85A29040|"; distance: 1; within: 8; content: "|0185039040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|9040|"; distance: 1; within: 3; content: "|909001859E9040|"; distance: 1; within: 8; content: "|BB2D12|"; distance: 1; within: 4; sid: 2009000864; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v160 - v165]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB3F8040|"; distance: 3; within: 21; content: "|87DD8B85D28040|"; distance: 1; within: 8; content: "|0185338040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|8040|"; distance: 1; within: 3; content: "|90900185CE8040|"; distance: 1; within: 8; content: "|BBBB12|"; distance: 1; within: 4; sid: 2009000865; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v166]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB3F9040|"; distance: 3; within: 21; content: "|87DD8B85E69040|"; distance: 1; within: 8; content: "|0185339040|"; distance: 1; within: 6; content: "|66C785|"; distance: 1; within: 4; content: "|9040|"; distance: 1; within: 3; content: "|90900185DA9040|"; distance: 1; within: 8; content: "|0185DE9040|"; distance: 1; within: 6; content: "|0185E29040|"; distance: 1; within: 6; content: "|BB5B11|"; distance: 1; within: 4; sid: 2009000866; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v167]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB3F904087DD8B85E69040018533904066C785904090900185DA90400185DE90400185E29040BB8B11|"; distance: 3; within: 58; sid: 2009000867; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v168 - v184]"; flow: established,to_client; content: "|EB0668|"; content: "|C39C60E802|"; distance: 4; within: 9; content: "|33C08BC483C004938BE38B5BFC81EB3F904087DD8B85E69040018533904066C785904090900185DA90400185DE90400185E29040BB7B11|"; distance: 3; within: 58; sid: 2009000868; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v184]"; flow: established,to_client; content: "|33C08BC483C004938BE38B5BFC81|"; sid: 2009000869; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v20 beta - Jeremy Collake]"; flow: established,to_client; content: "|B8|"; content: "|05|"; distance: 4; within: 5; content: "|5064FF350000000064892500000000CC90909090|"; distance: 4; within: 24; sid: 2009000870; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v25 Retail (Slim Loader) - Bitsum Technologies]"; flow: established,to_client; content: "|B8|"; content: "|015064FF35000000006489250000000033C089085045433200|"; distance: 3; within: 28; sid: 2009000871; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact v25 Retail - Bitsum Technologies]"; flow: established,to_client; content: "|B8|"; content: "|015064FF35000000006489250000000033C089085045436F6D706163743200|"; distance: 3; within: 34; sid: 2009000872; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECompact V2X- Bitsum Technologies]"; flow: established,to_client; content: "|B8|"; content: "|5064FF35000000006489250000000033C08908504543|"; distance: 4; within: 26; sid: 2009000873; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PECrc32 088 - ZhouJinYu]"; flow: established,to_client; content: "|60E8000000005D81EDB6A445008DBDB0A4450081EF82000000|"; sid: 2009000874; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEcrypt - by archphase]"; flow: established,to_client; content: "|558BEC83C4E0535633C08945E48945E08945EC|"; content: "|64824000E87CC7FFFF33C05568BE84400064FF3064892068CC844000|"; distance: 4; within: 32; content: "|00A110A7400050E81DC8FFFF8BD885DB7539E83AC8FFFF6A006A0068A0A940006800040000506A006800130000E8FFC7FFFF6A0068E0844000A1A0A94000506A00E8|"; distance: 4; within: 70; content: "|E97D01000053A110A7400050E842C8FFFF8BF085F675186A0068E084400068E48440006A00E871C8FFFFE953010000536A00E82CC8FFFFA3|"; distance: 4; within: 60; content: "|833D48A840000075186A0068E084400068F88440006A00E843C8FFFFE92501000056E8F8C7FFFFA34CA84000A148A84000E891A1FFFF8BD88B1548A8400085D27C164233C08B0D4CA8400003C88A098D3418880E404A75ED8B1548A8400085D27C324233C08D34188A0E80F9017505C606FFEB1C8D0C188A0984|"; distance: 4; within: 126; content: "|00EB0E8B0D4CA8400003C80FB60949880E404A75D18D|"; distance: 5; within: 27; content: "|E8A5A3FFFF8B45E88D55ECE856D5FFFF8D45ECBA18854000E879BAFFFF8B45ECE839BBFFFF8BD0B854A84000E831A6FFFFBA01000000B854A84000E812A9FFFFE8DDA1FFFF6850A840008BD38B0D48A84000B854A84000E856A7FFFFE8C1A1FFFF|"; distance: 4; within: 101; sid: 2009000875; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEEncrypt v40b (JunkCode)]"; flow: established,to_client; content: "|66|"; content: "|006683|"; distance: 2; within: 5; content: "|00|"; distance: 1; within: 2; sid: 2009000876; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEiD-Bundle v100 - v101 -- BoB BobSoft]"; flow: established,to_client; content: "|60E8|"; content: "|0200008B44240452486631C06681384D5A75F58B503C813C025045000075E95AC204006089DD89C38B453C8B54287801EA528B522001EA31C9418B348A|"; distance: 1; within: 62; sid: 2009000877; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEiD-Bundle v100 -- BoB BobSoft]"; flow: established,to_client; content: "|60E8210200008B44240452486631C06681384D5A75F58B503C813C025045000075E95AC204006089DD89C38B453C8B54287801EA528B522001EA31C9418B348A|"; sid: 2009000878; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEiD-Bundle v101 -- BoB BobSoft]"; flow: established,to_client; content: "|60E8230200008B44240452486631C06681384D5A75F58B503C813C025045000075E95AC204006089DD89C38B453C8B54287801EA528B522001EA31C9418B348A|"; sid: 2009000879; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEiD-Bundle v102 - v103 -- BoB BobSoft]"; flow: established,to_client; content: "|60E89C00000000000000000000000000000036|"; content: "|2E|"; distance: 3; within: 4; content: "|000000000000000000000000000000000000000001000080000000004B65726E656C33322E44|"; distance: 3; within: 41; sid: 2009000880; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEiD-Bundle v102 - v103 DLL -- BoB BobSoft]"; flow: established,to_client; content: "|837C2408010F85|"; content: "|60E89C0000000000000000000000000000004100080039000800000000000000000000000000000000000000000001000080000000|"; distance: 4; within: 57; sid: 2009000881; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEiD-Bundle v102 - v104 -- BoB BobSoft]"; flow: established,to_client; content: "|60E8|"; content: "|00000000000000000000000000000036|"; distance: 1; within: 17; content: "|2E|"; distance: 3; within: 4; content: "|000000000000000000000000000000000000000001000080000000004B65726E656C33322E44|"; distance: 3; within: 41; sid: 2009000882; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pelles C 28x-45x - Pelle Orinius]"; flow: established,to_client; content: "|5589E56AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64FF35|"; distance: 4; within: 7; content: "|648925|"; distance: 4; within: 7; content: "|83EC|"; distance: 4; within: 6; sid: 2009000883; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pelles C 280 -290 EXE (X86 CRT-LIB)]"; flow: established,to_client; content: "|5589E56AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64FF35|"; distance: 4; within: 7; content: "|648925|"; distance: 4; within: 7; content: "|83EC|"; distance: 4; within: 6; content: "|83EC|"; distance: 1; within: 3; content: "|5356578965E868000000|"; distance: 1; within: 11; content: "|E8|"; distance: 1; within: 2; content: "|59A3|"; distance: 4; within: 6; sid: 2009000884; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pelles C 290 300 400 DLL (X86 CRT-LIB)]"; flow: established,to_client; content: "|5589E55356578B5D0C8B7510BF0100000085DB7510833D|"; content: "|00750731C0E9|"; distance: 4; within: 10; content: "|83FB01740583FB0275|"; distance: 4; within: 13; content: "|85FF74|"; distance: 1; within: 4; sid: 2009000885; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pelles C 2x-4x DLL - Pelle Orinius]"; flow: established,to_client; content: "|5589E55356578B5D0C8B7510|"; sid: 2009000886; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pelles C 300 400 450 EXE (X86 CRT-DLL)]"; flow: established,to_client; content: "|5589E56AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64FF35|"; distance: 4; within: 7; content: "|648925|"; distance: 4; within: 7; content: "|83EC|"; distance: 4; within: 6; content: "|5356578965E8C745FC|"; distance: 1; within: 10; content: "|68|"; distance: 4; within: 5; content: "|E8|"; distance: 4; within: 5; content: "|59BE|"; distance: 4; within: 6; content: "|EB|"; distance: 4; within: 5; sid: 2009000887; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pelles C 300 400 450 EXE (X86 CRT-LIB)]"; flow: established,to_client; content: "|5589E56AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64FF35|"; distance: 4; within: 7; content: "|648925|"; distance: 4; within: 7; content: "|83EC|"; distance: 4; within: 6; content: "|5356578965E86800000002E8|"; distance: 1; within: 13; content: "|59A3|"; distance: 4; within: 6; sid: 2009000888; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pelles C 450 DLL (X86 CRT-LIB)]"; flow: established,to_client; content: "|5589E55356578B5D0C8B751085DB750D833D|"; content: "|00750431C0EB5783FB01740583FB0275|"; distance: 4; within: 20; sid: 2009000889; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PELOCKnt 204]"; flow: established,to_client; content: "|EB03CD20C71EEB03CD20EA9CEB02EB01EB01EB60|"; sid: 2009000890; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEMangle]"; flow: established,to_client; content: "|609CBE|"; content: "|8BFEB9|"; distance: 4; within: 7; content: "|BB44524F4CAD33C3|"; distance: 4; within: 12; sid: 2009000891; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEncrypt 10 - JunkCode]"; flow: established,to_client; content: "|609CBE001040008BFEB9|"; content: "|BB78563412AD33C3ABE2FA9D61E9|"; distance: 4; within: 18; content: "|FF|"; distance: 3; within: 4; sid: 2009000892; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEncrypt 20 - junkcode]"; flow: established,to_client; content: "|EB250000F7BF000000000000000000001200E8005669727475616C50726F746563740000000000E8000000005D81ED2C1040008DB514104000E833000000898510104000BF000040008BF7037F3C8B4F5451568D85|"; sid: 2009000893; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEncrypt v10]"; flow: established,to_client; content: "|609CBE001040008BFEB928030000BB78563412AD33C3ABE2FA9D61|"; sid: 2009000894; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEncrypt v30]"; flow: established,to_client; content: "|E8000000005D81ED051040008DB5241040008BFEB90F000000BB|"; content: "|AD33C3E2FA|"; distance: 4; within: 9; sid: 2009000895; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEncrypt v31]"; flow: established,to_client; content: "|E9|"; content: "|00F00FC6|"; distance: 3; within: 7; sid: 2009000896; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEnguinCrypt v10]"; flow: established,to_client; content: "|B893|"; content: "|0055506764FF360000676489260000BD4B484342B804000000CC3C0475049090C39067648F060000585DBB0000400033C933C0|"; distance: 2; within: 53; sid: 2009000897; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PENightMare 2 Beta]"; flow: established,to_client; content: "|60E9|"; content: "|EF4003A7078F071C375D43A704B92C3A|"; distance: 4; within: 20; sid: 2009000898; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PENightMare v13]"; flow: established,to_client; content: "|60E8000000005DB9|"; content: "|8031154181F9|"; distance: 4; within: 10; sid: 2009000899; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PENinja]"; flow: established,to_client; content: "|909090909090909090909090909090909090909090909090909090909090909090909090|"; sid: 2009000900; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PENinja modified]"; flow: established,to_client; content: "|5D8BC581EDB22C40002B85943E40002D710200008985983E40000FB6B59C3E40008BFD|"; sid: 2009000901; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESHiELD v01b MTE]"; flow: established,to_client; content: "|E8|"; content: "|B91B01|"; distance: 26; within: 29; content: "|D1|"; distance: 2; within: 3; sid: 2009000902; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESHiELD v02 v02b v02b2]"; flow: established,to_client; content: "|60E8|"; content: "|414E414B494E5D83ED06EB02EA04|"; distance: 4; within: 18; sid: 2009000903; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESHiELD v0251]"; flow: established,to_client; content: "|5D83ED06EB02EA048D|"; sid: 2009000904; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEShit]"; flow: established,to_client; content: "|B8|"; content: "|B9|"; distance: 4; within: 5; content: "|83F9007E068030|"; distance: 4; within: 11; content: "|40E2F5E9|"; distance: 1; within: 5; content: "|FF|"; distance: 3; within: 4; sid: 2009000905; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin v01 - Cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C245CCB46000BE4749E7501C7817304D77AF72F817319770043B7F6C36BB70000F9FFE3C9C20800A3687201FF5D33C941E217EB07EAEB01EBEB0DFF|"; sid: 2009000906; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin v01 - Cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C245CCB46000BE4749E7501C7817304D77AF72F817319770043B7F6C36BB70000F9FFE3C9C20800A3687201FF5D33C941E217EB07EAEB01EBEB0DFFE801000000EA5A83EA0BFFE28B95B32840008B423C03C28985BD28400041C1E1078B0C0103CA8B591003DA8B1B899DD1284000538F85C4274000BB|"; content: "|000000B9A50800008DBD752940004F301C39FECBE2F9682D010000598DBDAA304000C00C3902E2FAE802000000FF155A8D85074F5600BB54130B00D1E32BC3FFE0E80100000068E81A0000008D3428B8|"; distance: 1; within: 81; content: "|2BC983C9150FA3C80F83810000008DB40DC42840008BD6B910000000AC84C07406C04EFF03E2F5E8000000005981C11D0000005251C1E90523D1FF|"; distance: 4; within: 63; sid: 2009000907; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin v03 (Eng) - cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C24B7CD46|"; sid: 2009000908; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin v03 (Eng) - cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C24B7CD46000BE4749E7501C7817304D77AF72F817319770043B7F6C36BB70000F9FFE3C9C20800A3687201FF5D33C941E217EB07EAEB01EBEB0DFF|"; sid: 2009000909; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin V03 - cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C24B7CD46000BE4749E7501C7817304D77AF72F817319770043B7F6C36BB70000F9FFE3C9C20800A3687201FF5D33C941E217EB07EAEB01EBEB0DFFE801000000EA5A83EA0BFFE28B95CB2C40008B423C03C28985D52C400041C1E1078B0C0103CA8B591003DA8B1B899DE92C4000538F85B62B4000BB|"; content: "|000000B9750A00008DBD7E2D40004F301C39FECBE2F9683C010000598DBDB6364000C00C3902E2FAE802000000FF155A8D851F535600BB54130B00D1E32BC3FFE0E80100000068E81A0000008D3428B908000000B8|"; distance: 1; within: 86; content: "|2BC983C9150FA3C80F83810000008DB40DDC2C4000|"; distance: 4; within: 25; sid: 2009000910; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin v07 - Cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C2483D546000BE4749E7501C7817304D77AF72F817319770043B7F6C36BB70000F9FFE3C9C20800A3687201FF5D33C941E217EB07EAEB01EBEB0DFF|"; sid: 2009000911; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin V071 - cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C2483D546000BE4749E|"; sid: 2009000912; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin V11 - cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C247DDE46000BE4749E|"; sid: 2009000913; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin v11 - Cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C247DDE46000BE4749E7501C7817304D77AF72F817319770043B7F6C36BB70000F9FFE3C9C20800A3687201FF5D33C941E217EB07EAEB01EBEB0DFF|"; sid: 2009000914; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESPin v13 - Cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C24ACDF46000BE4749E7501C7817304D77AF72F817319770043B7F6C36BB70000F9FFE3C9C20800A3687201FF5D33C941E217EB07EAEB01EBEB0DFF|"; sid: 2009000915; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin v1304 - Cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C2488DF46000BE4749E7501C7817304D77AF72F817319770043B7F6C36BB70000F9FFE3C9C20800A3687201FF5D33C941E217EB07EAEB01EBEB0DFF|"; sid: 2009000916; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PESpin v13beta - Cyberbob]"; flow: established,to_client; content: "|EB016860E8000000008B1C2483C312812BE8B10600FE4BFD822C2471DF46000BE4749E7501C7817304D77AF72F817319770043B7F6C36BB70000F9FFE3C9C20800A3687201FF5D33C941E217EB07EAEB01EBEB0DFF|"; sid: 2009000917; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Petite 12]"; flow: established,to_client; content: "|669C60E8CA000000030004000500060007000800|"; sid: 2009000918; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Petite 12 - (c)1998 Ian Luck]"; flow: established,to_client; content: "|669C60E8CA00000003000400050006000700080009000A000B000D000F001100130017001B001F0023002B0033003B0043005300630073008300A300C300E300020100000000000000000000000001010101020202|"; sid: 2009000919; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEtite v12]"; flow: established,to_client; content: "|9C60E8CA|"; content: "|03|"; distance: 3; within: 4; content: "|04|"; distance: 1; within: 2; content: "|05|"; distance: 1; within: 2; content: "|06|"; distance: 1; within: 2; content: "|07|"; distance: 1; within: 2; content: "|08|"; distance: 1; within: 2; sid: 2009000920; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEtite v14]"; flow: established,to_client; content: "|669C60508BD803|"; content: "|6854BC|"; distance: 1; within: 4; content: "|6A|"; distance: 2; within: 3; content: "|FF50148BCC|"; distance: 1; within: 6; sid: 2009000921; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Petite v14]"; flow: established,to_client; content: "|B8|"; content: "|669C60508BD8030068|"; distance: 4; within: 13; content: "|6A00|"; distance: 4; within: 6; sid: 2009000922; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEtite v20]"; flow: established,to_client; content: "|B8|"; content: "|669C60508BD803|"; distance: 4; within: 11; content: "|6854BC|"; distance: 1; within: 4; content: "|6A|"; distance: 2; within: 3; content: "|FF50188BCC8DA054BC|"; distance: 1; within: 10; content: "|8BC38D90E015|"; distance: 2; within: 8; content: "|68|"; distance: 2; within: 3; sid: 2009000923; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEtite v21]"; flow: established,to_client; content: "|B8|"; content: "|6A|"; distance: 4; within: 5; content: "|68|"; distance: 1; within: 2; content: "|64FF35|"; distance: 4; within: 7; content: "|648925|"; distance: 4; within: 7; content: "|669C6050|"; distance: 4; within: 8; sid: 2009000924; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Petite v21 (1)]"; flow: established,to_client; content: "|B8|"; content: "|68|"; distance: 4; within: 5; content: "|64|"; distance: 4; within: 5; content: "|64|"; distance: 6; within: 7; content: "|669C6050|"; distance: 6; within: 10; sid: 2009000925; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Petite v21 (2)]"; flow: established,to_client; content: "|B8|"; content: "|6A0068|"; distance: 4; within: 7; content: "|64|"; distance: 4; within: 5; content: "|64|"; distance: 6; within: 7; content: "|669C6050|"; distance: 6; within: 10; sid: 2009000926; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEtite v22]"; flow: established,to_client; content: "|B8|"; content: "|68|"; distance: 4; within: 5; content: "|64FF35|"; distance: 4; within: 7; content: "|648925|"; distance: 4; within: 7; content: "|669C6050|"; distance: 4; within: 8; sid: 2009000927; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Petite v (after v14)]"; flow: established,to_client; content: "|B8|"; content: "|669C60508D|"; distance: 4; within: 9; content: "|68|"; distance: 5; within: 6; content: "|83|"; distance: 4; within: 5; sid: 2009000928; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEtite vxx]"; flow: established,to_client; content: "|B8|"; content: "|669C6050|"; distance: 4; within: 8; sid: 2009000929; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PeX 099 - bartCrackPl]"; flow: established,to_client; content: "|E9F5|"; content: "|0D0AC4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4|"; distance: 3; within: 26; sid: 2009000930; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PEX v099]"; flow: established,to_client; content: "|60E801|"; content: "|83C404E801|"; distance: 4; within: 9; content: "|5D81|"; distance: 4; within: 6; sid: 2009000931; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PeX v099 (Eng) - bartCrackPl]"; flow: established,to_client; content: "|E9F50000000D0AC4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4C4|"; sid: 2009000932; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE_Admin 10 (EncryptPE 12003518 Sold) - Flying Cat]"; flow: established,to_client; content: "|609C64FF3500000000E879010000900000000000000000000000|"; content: "|0000000000000000000000000000000000000000|"; distance: 8; within: 28; content: "|000000006B65726E656C33322E646C6C00000047657453797374656D4469726563746F72794100000043726561746546696C654100000043726561746546696C654D617070696E67410000004D6170566965774F6646696C65000000556E6D6170566965774F6646696C65000000436C6F736548616E646C650000004C6F61644C6962726172794100000047657450726F63416464726573730000004578697450726F63657373|"; distance: 36; within: 203; sid: 2009000933; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PE_Admin 10 (EncryptPE 12003518 Sold) - Flying Cat]"; flow: established,to_client; content: "|609C64FF3500000000E879010000900000000000000000000000|"; content: "|0000000000000000000000000000000000000000|"; distance: 8; within: 28; content: "|000000006B65726E656C33322E646C6C00000047657453797374656D4469726563746F72794100000043726561746546696C654100000043726561746546696C654D617070696E67410000004D6170566965774F6646696C65000000556E6D6170566965774F6646696C65000000436C6F736548616E646C650000004C6F61644C6962726172794100000047657450726F63416464726573730000004578697450726F6365737300000000|"; distance: 36; within: 207; sid: 2009000934; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PGMPACK v013]"; flow: established,to_client; content: "|FA1E1750B430CD213C0273|"; content: "|B44CCD21FCBE|"; distance: 1; within: 7; content: "|BF|"; distance: 2; within: 3; content: "|E8|"; distance: 2; within: 3; content: "|E8|"; distance: 2; within: 3; content: "|BB|"; distance: 2; within: 3; content: "|BA|"; distance: 2; within: 3; content: "|8AC38BF3|"; distance: 2; within: 6; sid: 2009000935; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PGMPACK v014]"; flow: established,to_client; content: "|1E1750B430CD213C0273|"; content: "|B44CCD21FCBE|"; distance: 1; within: 7; content: "|BF|"; distance: 2; within: 3; content: "|E8|"; distance: 2; within: 3; content: "|E8|"; distance: 2; within: 3; content: "|BB|"; distance: 2; within: 3; content: "|BA|"; distance: 2; within: 3; content: "|8AC38BF3|"; distance: 2; within: 6; sid: 2009000936; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pi Cryptor 10 - by Scofield]"; flow: established,to_client; content: "|558BEC83C4EC53565731C08945ECB8401E0600E848FAFFFF33C05568361F060064FF306489206A0068800000006A036A006A0168000000808D55EC31C0E84EF4FFFF8B45ECE8F6F7FFFF50E8CCFAFFFF8BD883FBFF744E6A0053E8CDFAFFFF8BF881EFAC2600006A006A0068AC26000053E8DEFAFFFF89F8E8E3F1FFFF89C66A006828310600575653E8AEFAFFFF53E880FAFFFF89FA81EA720100008BC6E855FEFFFF89C689F009C07405E8A8FBFFFF31C05A5959648910683D1F06008D45ECE8C3F6FFFFC3|"; sid: 2009000937; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v100 v103]"; flow: established,to_client; content: "|B8|"; content: "|BA|"; distance: 2; within: 3; content: "|8CDB03D83B|"; distance: 2; within: 7; sid: 2009000938; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v100c (1)]"; flow: established,to_client; content: "|2E8C1E|"; content: "|8B1E|"; distance: 2; within: 4; content: "|8CDA81C2|"; distance: 2; within: 6; content: "|3BDA72|"; distance: 2; within: 5; content: "|81EB|"; distance: 1; within: 3; content: "|83EB|"; distance: 2; within: 4; content: "|FA8ED3BC|"; distance: 1; within: 5; content: "|FBFDBE|"; distance: 2; within: 5; content: "|8BFE|"; distance: 2; within: 4; sid: 2009000939; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v100c (2)]"; flow: established,to_client; content: "|BA|"; content: "|A1|"; distance: 2; within: 3; content: "|2D|"; distance: 2; within: 3; content: "|8CCB81C3|"; distance: 2; within: 6; content: "|3BC377|"; distance: 2; within: 5; content: "|05|"; distance: 1; within: 2; content: "|3BC377|"; distance: 2; within: 5; content: "|B409BA|"; distance: 1; within: 4; content: "|CD21CD2090|"; distance: 2; within: 7; sid: 2009000940; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v112 v115 v120 (1)]"; flow: established,to_client; content: "|B8|"; content: "|BA|"; distance: 2; within: 3; content: "|05|"; distance: 2; within: 3; content: "|3B06|"; distance: 2; within: 4; content: "|73|"; distance: 2; within: 3; content: "|2D|"; distance: 1; within: 2; content: "|FA8ED0FB2D|"; distance: 2; within: 7; content: "|8EC050B9|"; distance: 2; within: 6; content: "|33FF57BE|"; distance: 2; within: 6; content: "|FCF3A5CBB409BA|"; distance: 2; within: 9; content: "|CD21CD20|"; distance: 2; within: 6; sid: 2009000941; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v112 v115 v120 (2)]"; flow: established,to_client; content: "|B8|"; content: "|BA|"; distance: 2; within: 3; content: "|3BC473|"; distance: 2; within: 5; sid: 2009000942; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v114 v115 v120 (3)]"; flow: established,to_client; content: "|B8|"; content: "|BA|"; distance: 2; within: 3; content: "|05|"; distance: 2; within: 3; content: "|3B|"; distance: 2; within: 3; content: "|72|"; distance: 3; within: 4; content: "|B409BA|"; distance: 1; within: 4; content: "|01CD21CD204E6F|"; distance: 1; within: 8; sid: 2009000943; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v114 v120]"; flow: established,to_client; content: "|B8|"; content: "|BA|"; distance: 2; within: 3; content: "|05|"; distance: 2; within: 3; content: "|3B06|"; distance: 2; within: 4; content: "|72|"; distance: 2; within: 3; content: "|B409BA|"; distance: 1; within: 4; content: "|CD21CD20|"; distance: 2; within: 6; sid: 2009000944; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v120]"; flow: established,to_client; content: "|B8|"; content: "|BA|"; distance: 2; within: 3; content: "|05|"; distance: 2; within: 3; content: "|3B06|"; distance: 2; within: 4; content: "|72|"; distance: 2; within: 3; content: "|B409BA|"; distance: 1; within: 4; content: "|CD21B44CCD21|"; distance: 2; within: 8; sid: 2009000945; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v150 (1)]"; flow: established,to_client; content: "|50B8|"; content: "|BA|"; distance: 2; within: 3; content: "|05|"; distance: 2; within: 3; content: "|3B06|"; distance: 2; within: 4; content: "|72|"; distance: 2; within: 3; content: "|B4|"; distance: 1; within: 2; content: "|BA|"; distance: 1; within: 2; content: "|CD21B8|"; distance: 2; within: 5; content: "|CD21|"; distance: 2; within: 4; sid: 2009000946; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v150 (Device driver compression)]"; flow: established,to_client; content: "|B409BA1401CD21B8004CCD21F89C505351525657551E06BB|"; sid: 2009000947; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v200b]"; flow: established,to_client; content: "|50B8|"; content: "|BA|"; distance: 2; within: 3; content: "|05|"; distance: 2; within: 3; content: "|3B06020072|"; distance: 2; within: 7; content: "|B409BA|"; distance: 1; within: 4; content: "|CD21B8014CCD21|"; distance: 2; within: 9; content: "|592D|"; distance: 30; within: 32; content: "|8ED0512D|"; distance: 2; within: 6; content: "|8EC050B9|"; distance: 2; within: 6; sid: 2009000948; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v200b [extra]]"; flow: established,to_client; content: "|50B8|"; content: "|BA|"; distance: 2; within: 3; content: "|05|"; distance: 2; within: 3; content: "|3B06020072|"; distance: 2; within: 7; content: "|B409BA|"; distance: 1; within: 4; content: "|CD21B8014CCD21|"; distance: 2; within: 9; content: "|EA|"; distance: 30; within: 31; content: "|F3A5C3592D|"; distance: 4; within: 9; content: "|8ED0512D|"; distance: 2; within: 6; content: "|5080|"; distance: 2; within: 4; sid: 2009000949; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE v200c]"; flow: established,to_client; content: "|50B8|"; content: "|BA|"; distance: 2; within: 3; content: "|3BC473|"; distance: 2; within: 5; content: "|8BC42D|"; distance: 1; within: 4; content: "|25|"; distance: 2; within: 3; content: "|8BF8B9|"; distance: 2; within: 5; content: "|BE|"; distance: 2; within: 3; content: "|FC|"; distance: 2; within: 3; sid: 2009000950; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE32 11]"; flow: established,to_client; content: "|504B4C495445333220436F707972696768742031|"; sid: 2009000951; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE32 11 - PKWARE Inc]"; flow: established,to_client; content: "|68|"; content: "|0068|"; distance: 3; within: 5; content: "|006800000000E8|"; distance: 3; within: 10; content: "|E9|"; distance: 4; within: 5; sid: 2009000952; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE32 v11]"; flow: established,to_client; content: "|558BECA1|"; content: "|85C07409B8010000005DC20C008B450C5756538B5D10|"; distance: 4; within: 26; sid: 2009000953; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE32 v11]"; flow: established,to_client; content: "|68|"; content: "|68|"; distance: 4; within: 5; content: "|6800000000E8|"; distance: 4; within: 10; sid: 2009000954; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKLITE32 v11]"; flow: established,to_client; content: "|68|"; content: "|68|"; distance: 4; within: 5; content: "|B8|"; distance: 4; within: 5; content: "|2B44240C50|"; distance: 4; within: 9; sid: 2009000955; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pksmart 10b]"; flow: established,to_client; content: "|BA|"; content: "|8CC88BC803C281|"; distance: 2; within: 9; content: "|51B9|"; distance: 3; within: 5; content: "|511E8CD3|"; distance: 2; within: 6; sid: 2009000956; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKTINY v10 with TINYPROG v38]"; flow: established,to_client; content: "|2EC606|"; content: "|2EC606|"; distance: 3; within: 6; content: "|2EC606|"; distance: 3; within: 6; content: "|E9|"; distance: 3; within: 4; content: "|E8|"; distance: 2; within: 3; content: "|83|"; distance: 2; within: 3; sid: 2009000957; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PKZIP-SFX v11 1989-90]"; flow: established,to_client; content: "|FC2E8C0E|"; content: "|A1|"; distance: 2; within: 3; content: "|8CCB81C3|"; distance: 2; within: 6; content: "|3BC372|"; distance: 2; within: 5; content: "|2D|"; distance: 1; within: 2; content: "|2D|"; distance: 2; within: 3; content: "|FABC|"; distance: 2; within: 4; content: "|8ED0FB|"; distance: 2; within: 5; sid: 2009000958; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PLINK86 1984 1985]"; flow: established,to_client; content: "|FA8CC78CD68BCCBA|"; content: "|8EC226|"; distance: 2; within: 5; sid: 2009000959; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PluginToExe v100 - BoB BobSoft]"; flow: established,to_client; content: "|E80000000029C05D81EDD140400050FF95B8404000898509404000FF95B440400089851140400050FF95C04040008A0880F922750750FF95C440400089850D4040008B9D09404000606A006A015381C3|"; content: "|00FFD3616A006844694550FFB50D4040006A0081C3|"; distance: 3; within: 24; content: "|00FFD383C410FF95B0404000|"; distance: 3; within: 15; sid: 2009000960; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PluginToExe v101 - BoB BobSoft]"; flow: established,to_client; content: "|E80000000029C05D81EDC6414000508F857140400050FF95A541400089856D404000FF95A141400050FF95B541400080380074168A0880F922750750FF95B9414000898575404000EB6C6A018F85714040006A586A40FF95A941400089856940400089C768000800006A40FF95A941400089471CC70758000000C7472000080000C7471801000000C74734041088008D8DB9404000894F0C8D8DDB404000894F30FFB569404000FF9595414000FF771C8F85754040008B9D6D404000606A006A015381C3|"; content: "|00FFD3616A006844694550FFB5754040006A0081C3|"; distance: 3; within: 24; content: "|0000FFD383C41083BD71404000007410FF771CFF95AD41400057FF95AD4140006A00FF959D414000|"; distance: 2; within: 42; sid: 2009000961; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PluginToExe v102 - BoB BobSoft]"; flow: established,to_client; content: "|E80000000029C05D81ED32424000508F85DD40400050FF95114240008985D9404000FF950D42400050FF952142400080380074168A0880F922750750FF95254240008985E1404000EB6C6A018F85DD4040006A586A40FF95154240008985D540400089C768000800006A40FF951542400089471CC7075800|"; sid: 2009000962; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PMODEW v112 116 121 133 DOS extender]"; flow: established,to_client; content: "|FC1607BF|"; content: "|8BF757B9|"; distance: 2; within: 6; content: "|F3A5061E071F5FBE|"; distance: 2; within: 10; content: "|060EA4|"; distance: 2; within: 5; sid: 2009000963; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PocketPC ARM]"; flow: established,to_client; content: "|F0402DE90040A0E10150A0E10260A0E10370A0E1|"; content: "|0000EB0730A0E10620A0E10510A0E10400A0E1|"; distance: 1; within: 20; content: "|EBF040BDE8|"; distance: 3; within: 8; content: "|0000EA|"; distance: 1; within: 4; content: "|402DE9|"; distance: 1; within: 4; content: "|9FE5|"; distance: 2; within: 4; content: "|00|"; distance: 5; within: 6; content: "|9FE500|"; distance: 8; within: 11; content: "|00|"; distance: 4; within: 5; sid: 2009000964; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PocketPC MIB]"; flow: established,to_client; content: "|E8FFBD271400BFAF1800A4AF1C00A5AF2000A6AF2400A7AF|"; content: "|0C000000001800A48F1C00A58F2000A68F|"; distance: 3; within: 20; content: "|0C2400A78F|"; distance: 3; within: 8; content: "|0C252040001400BF8F0800E0031800BD27|"; distance: 3; within: 20; content: "|FFBD271800|"; distance: 1; within: 6; content: "|AF|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; sid: 2009000965; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PocketPC SHA]"; flow: established,to_client; content: "|862F962FA62FB62F224F4368536B636A7369F07F0BD00B40090009D0B365A36693670B408364036404D00B400900107F264FF66BF66AF6690B00F668|"; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00224FF07F0AD006D406D50B4009|"; distance: 3; within: 17; sid: 2009000966; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pohernah 100 - by Kas]"; flow: established,to_client; content: "|5860E8000000005D81ED202540008BBD862540008B8D8E2540006BC00583F00489859225400083F900742D817F1CAB000000751E8B770C03B58A25400031C03B4710740E508B85922540003006584046EBED83C72849EBCE8B85822540008944241C61FFE0|"; sid: 2009000967; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pohernah 101 - by Kas]"; flow: established,to_client; content: "|60E8000000005D81EDF12640008BBD182840008B8D20284000B83828400001E880300583F9007471817F1CAB00000075628B570C03951C28400031C05131C966B9FA006683F90074498B570C03951C2840008B852428400083F802750681C200020000518B4F1083F802750681E90002000057BFC800000089CEE82700000089C15FB83828400001E8E8240000005949EBB15983C72849EB8A8B85142840008944241C61FFE056574FF7D721FE89F05F5EC36083F00540904883F00589C689D760E80B0000006183C70883E907E2F161C3578B1F8B4F0468B979379E5A4289D048C1E005BF200000004A89DDC1E50429E98B6E0831DD29E989DDC1ED0531C529E92B4E0C89CDC1E50429EB8B2E31CD29EB89CDC1ED0531C529EB2B5E0429D04F75C85F891F894F04C3|"; sid: 2009000968; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pohernah 102 - by Kas]"; flow: established,to_client; content: "|60E8000000005D81EDDE2640008BBD052840008B8D0D284000B82528400001E880300583F9007471817F1CAB00000075628B570C03950928400031C05131C966B9F7006683F90074498B570C0395092840008B851128400083F802750681C200020000518B4F1083F802750681E90002000057BFC800000089CEE82700000089C15FB82528400001E8E8240000005949EBB15983C72849EB8A8B85012840008944241C61FFE056574FF7D721FE89F05F5EC36083F00540904883F00589C689D760E80B0000006183C70883E907E2F161C3578B1F8B4F0468B979379E5A4289D048C1E005BF200000004A89DDC1E50429E98B6E0831DD29E989DDC1ED0531C529E92B4E0C89CDC1E50429EB8B2E31CD29EB89CDC1ED0531C529EB2B5E0429D04F75C85F891F894F04C3|"; sid: 2009000969; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Pohernah 103 - by Kas]"; flow: established,to_client; content: "|60E8000000005D81ED2A27400031C04083F006403D401F00007507BE6A274000EB02EBEB8B859E28400083F801751731C001EE3D99000000740C8B8D86284000300E4046EBED|"; content: "|56574FF7D721FE89F05F5EC36083F00540904883F00589C689D760E80B0000006183C70883E907E2F161C3578B1F8B4F0468B979379E5A4289D048C1E005BF200000004A89DDC1E50429E98B6E0831DD29E989DDC1ED0531C529E92B4E0C89CDC1E50429EB8B2E31CD29EB89CDC1ED0531C529EB2B5E0429D04F75C85F891F894F04C3|"; distance: 153; within: 284; sid: 2009000970; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PolyCryptor by SMT Version v3v4]"; flow: established,to_client; content: "|EB|"; content: "|28506F6C7953637279707420|"; distance: 1; within: 13; content: "|20627920534D5429|"; distance: 3; within: 11; sid: 2009000971; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PoPa 001 (Packer on Pascal) - bagie]"; flow: established,to_client; content: "|558BEC83C4EC53565733C08945ECB8A43E0010E830F6FFFF33C05568BE400010|"; content: "|89206A0068800000006A036A006A0168000000808D55EC33C0E862E7FFFF8B45ECE832F2FFFF50E8B4F6FFFFA36466001033D255689340001064FF32648922833D64660010FF0F843A0100006A006A006A00A16466001050E89BF6FFFF83E81050A16466001050E8BCF6FFFF6A0068806600106A106868660010A16466001050E88BF6FFFF|"; distance: 4; within: 137; sid: 2009000972; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PPC-PROTECT 11X - Alexey Gorchakov]"; flow: established,to_client; content: "|FF5F2DE920009FE5000090E518008FE518009FE5000090E510008FE50100A0E3000000EB020000EA04F01FE5|"; sid: 2009000973; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Private Exe Protector 1x - setisoft]"; flow: established,to_client; content: "|B8|"; content: "|B9|"; distance: 4; within: 5; content: "|9001|"; distance: 1; within: 3; content: "|BE|"; distance: 1; within: 2; content: "|1040|"; distance: 1; within: 3; content: "|68509141|"; distance: 1; within: 5; content: "|6801|"; distance: 1; within: 3; content: "|C3|"; distance: 3; within: 4; sid: 2009000974; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Private EXE v20a]"; flow: established,to_client; content: "|53E8000000005B8BC32D|"; sid: 2009000975; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Private Personal Packer (PPP) 103 - ConquestOfTroycom]"; flow: established,to_client; content: "|E8190000009090E868000000FF352C370010E8ED0100006A00E82E040000E841040000A3743700106A64E85F040000E830040000A3783700106A64E84E040000E81F040000A37C370010A1743700108B1D783700102BD88B0D7C3700102BC883FB64730F81F9C800000073076A00E8D9030000C36A0A6A076A00E8D3030000A320370010506A00E8DE030000A324370010FF35203700106A00E8EA030000A330370010FF3524370010E8C2030000A3283700108B0D303700108B3D28370010EB0949C0043955803439240BC9|"; sid: 2009000976; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Private Personal Packer (PPP) v102 -- ConquestOfTroycom]"; flow: established,to_client; content: "|E817000000E868000000FF352C370010E8ED0100006A00E82E040000E841040000A3743700106A64E85F040000E830040000A3783700106A64E84E040000E81F040000A37C370010A1743700108B1D783700102BD88B0D7C3700102BC883FB64730F81F9C800000073076A00E8D9030000C36A0A6A076A00|"; sid: 2009000977; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PrivateEXE v20a]"; flow: established,to_client; content: "|0660C8|"; content: "|0E68|"; distance: 3; within: 5; content: "|9A|"; distance: 2; within: 3; content: "|3D|"; distance: 4; within: 5; content: "|0F|"; distance: 2; within: 3; content: "|50500E68|"; distance: 3; within: 7; content: "|9A|"; distance: 2; within: 3; content: "|0E|"; distance: 4; within: 5; sid: 2009000978; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PrivateEXE v20a]"; flow: established,to_client; content: "|53E8|"; content: "|5B8BC32D|"; distance: 4; within: 8; content: "|5081|"; distance: 4; within: 6; content: "|8B|"; distance: 5; within: 6; sid: 2009000979; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PRO-PACK v208]"; flow: established,to_client; content: "|8CD38EC38CCA8EDA8B0E|"; content: "|8BF183|"; distance: 2; within: 5; content: "|8BFED1|"; distance: 2; within: 5; content: "|FDF3A553|"; distance: 1; within: 5; sid: 2009000980; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PRO-PACK v208 emphasis on packed size locked]"; flow: established,to_client; content: "|83EC|"; content: "|8BECBE|"; distance: 1; within: 4; content: "|FCE8|"; distance: 2; within: 4; content: "|05|"; distance: 2; within: 3; content: "|8BC8E8|"; distance: 2; within: 5; content: "|8B|"; distance: 2; within: 3; sid: 2009000981; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ProActivate V10X - TurboPower Software Company]"; flow: established,to_client; content: "|558BECB90E0000006A006A004975F951535657B8|"; content: "|909090909033C05568|"; distance: 4; within: 13; content: "|64FF30648920A1|"; distance: 4; within: 11; content: "|83C005A3|"; distance: 4; within: 8; content: "|C705|"; distance: 4; within: 6; content: "|0D000000E885E2FFFF813D|"; distance: 4; within: 15; content: "|217E7E40757A813D|"; distance: 4; within: 12; content: "|43524333756E813D|"; distance: 4; within: 12; content: "|32407E7E7562813D|"; distance: 4; within: 12; content: "|217E7E407556813D|"; distance: 4; within: 12; content: "|43524333754A813D|"; distance: 4; within: 12; content: "|32407E7E753E813D|"; distance: 4; within: 12; content: "|217E7E407532813D|"; distance: 4; within: 12; content: "|43524333|"; distance: 4; within: 8; sid: 2009000982; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Program Protector XP v10]"; flow: established,to_client; content: "|E8|"; content: "|5883D80589C381C3|"; distance: 4; within: 12; content: "|8B436450|"; distance: 4; within: 8; sid: 2009000983; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PROTECT EXECOM v60]"; flow: established,to_client; content: "|1EB430CD213C0273|"; content: "|CD20BE|"; distance: 1; within: 4; content: "|E8|"; distance: 2; within: 3; sid: 2009000984; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Protection Plus vxx]"; flow: established,to_client; content: "|506029C064FF30E8|"; content: "|5D83ED3C89E889A514|"; distance: 4; within: 13; content: "|2B851C|"; distance: 3; within: 6; content: "|89851C|"; distance: 3; within: 6; content: "|8D852703|"; distance: 3; within: 7; content: "|508B|"; distance: 2; within: 4; content: "|85C00F85C0|"; distance: 1; within: 6; content: "|8DBD5B03|"; distance: 3; within: 7; content: "|8DB54303|"; distance: 2; within: 6; content: "|E8DD|"; distance: 2; within: 4; content: "|89851F03|"; distance: 3; within: 7; content: "|6A4068|"; distance: 2; within: 5; content: "|10|"; distance: 1; within: 2; content: "|8B85|"; distance: 2; within: 4; sid: 2009000985; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[pscrambler 12 - by p0ke]"; flow: established,to_client; content: "|558BECB9040000006A006A004975F95153|"; content: "|10E82DF3FFFF33C05568E831001064FF306489208D45E0E853F5FFFF8B45E08D55E4E830F6FFFF8B45E48D55E8E8A9F4FFFF8B45E88D55ECE8EEF7FFFF8B55ECB8C4540010E8D9ECFFFF833DC4540010000F8405010000803DA0400010007441A1C4540010E8D9EDFFFFE848E0FFFF8BD8A1C4540010E8C8EDFFFF50B8C4540010E865EFFFFF8BD359E869E1FFFF8BC3E812FAFFFF8BC3E833E0FFFFE9AD000000B805010000E80CE0FFFF8BD8536805010000E857F3FFFF8D45DC8BD3E839EDFFFF8B55DCB814560010B900320010E8BBEDFFFF8B1514560010B8C8540010E853E5FFFFBA01000000B8C8540010E88CE8FFFFE8DFE0FFFF85C075526A00A1C4540010E83BEDFFFF50B8C4540010E8D8EEFFFF8BD0B8C854001059E83BE6FFFFE876E0FFFFB8C8540010E84CE6FFFFE867E0FFFF6A006A006A00A114560010E853EEFFFF506A006A00E841F3FFFF803D9C400010007405E8EFFBFFFF33C05A595964891068EF3100108D45DCBA05000000E87DEBFFFFC3E923E9FFFFEBEB5BE863EAFFFF000000FFFFFFFF0800000074656D702E657865|"; distance: 4; within: 411; sid: 2009000986; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PUNiSHER v15 (DEMO) - FEUERRADERAHTeam]"; flow: established,to_client; content: "|EB0483A4BCCE60EB0480BC0411E800000000812C24CAC24100EB04646B88185DE800000000EB04646B8818812C2486000000EB04646B88188B859CC24100EB04646B8818290424EB04646B8818EB04646B88188B04|"; sid: 2009000987; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PUNiSHER v15 (DEMO) - FEUERRADERAHTeam]"; flow: established,to_client; content: "|EB0483A4BCCE60EB0480BC0411E800000000812C24CAC24100EB04646B88185DE800000000EB04646B8818812C2486000000EB04646B88188B859CC24100EB04646B8818290424EB04646B8818EB04646B88188B0424EB04646B881889859CC24100EB04646B881858689F6F56B650E85D000000EBFF7178C25000EBD35BF368895C24485C2458FF8D5C24585B83C34C75F45A8D7178750981F3EBFF52BA010083EBFC4AFF710F75198B5C240000813350538B1B0FFFC6751B81F3EB871C248B8B042483ECFCEB01E883ECFCE9E700000058EBFFF0EBFFC083E8FDEBFF30E8C900000089E0EBFFD0EBFF710F83C001EBFF70F071EEEBFAEB83C014EBFF70ED|"; sid: 2009000988; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PUNiSHER V15 Demo- FEUERRADER]"; flow: established,to_client; content: "|EB0483A4BCCE60EB0480BC0411E800000000|"; sid: 2009000989; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PureBasic 4x - Neil Hodgson]"; flow: established,to_client; content: "|68|"; content: "|0000680000000068|"; distance: 2; within: 10; content: "|00E8|"; distance: 3; within: 5; content: "|0083C40C6800000000E8|"; distance: 3; within: 13; content: "|00A3|"; distance: 3; within: 5; content: "|00680000000068001000006800000000E8|"; distance: 3; within: 20; content: "|00A3|"; distance: 3; within: 5; sid: 2009000990; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PureBasic 4x DLL - Neil Hodgson]"; flow: established,to_client; content: "|837C240801750E8B442404A3|"; content: "|10E822000000837C2408027500837C2408007505E8|"; distance: 3; within: 24; content: "|000000837C2408037500B801000000C20C00680000000068001000006800000000E8|"; distance: 1; within: 35; content: "|0F0000A3|"; distance: 1; within: 5; sid: 2009000991; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[PureBasic DLL - Neil Hodgson]"; flow: established,to_client; content: "|837C24080175|"; content: "|8B442404A3|"; distance: 1; within: 6; content: "|10E8|"; distance: 3; within: 5; sid: 2009000992; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[QrYPt0r - by NuTraL]"; flow: established,to_client; content: "|EB00E8B5000000E92E01000064FF3500000000|"; content: "|648925000000008B442404|"; distance: 50; within: 61; sid: 2009000993; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RatPacker (Glue) stub]"; flow: established,to_client; content: "|4020FF00000000000000|"; content: "|BE006040008DBE00B0FFFF|"; distance: 1; within: 12; sid: 2009000994; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RAZOR 1911 encruptor]"; flow: established,to_client; content: "|E8|"; content: "|BF|"; distance: 2; within: 3; content: "|3BFC72|"; distance: 2; within: 5; content: "|B44CCD21BE|"; distance: 1; within: 6; content: "|B9|"; distance: 2; within: 3; content: "|FDF3A5FC|"; distance: 2; within: 6; sid: 2009000995; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor 15 - Vaska]"; flow: established,to_client; content: "|832C244F68|"; content: "|FF542404834424044FB8|"; distance: 4; within: 14; content: "|3D|"; distance: 4; within: 5; content: "|74068030|"; distance: 4; within: 8; content: "|EBF3B8|"; distance: 2; within: 5; content: "|3D|"; distance: 4; within: 5; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3|"; distance: 1; within: 4; sid: 2009000996; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor 16c - Vaska]"; flow: established,to_client; content: "|8BC70304242BC78038500F851B8B1FFF68|"; content: "|B8|"; distance: 4; within: 5; content: "|3D|"; distance: 4; within: 5; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3B8|"; distance: 1; within: 5; content: "|3D|"; distance: 4; within: 5; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3|"; distance: 1; within: 4; sid: 2009000997; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor 20 - Vaska]"; flow: established,to_client; content: "|F7D183F1FF6A00F7D183F1FF810424|"; content: "|F7D183F1FF|"; distance: 4; within: 9; sid: 2009000998; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v13 v14 -- Vaska]"; flow: established,to_client; content: "|558BEC8B44240483E84F68|"; content: "|FFD0585950|"; distance: 4; within: 9; sid: 2009000999; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v13 v14 -- Vaska]"; flow: established,to_client; content: "|558BEC8B44240483E84F68|"; content: "|FFD0585950B8|"; distance: 4; within: 10; content: "|3D|"; distance: 4; within: 5; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3|"; distance: 1; within: 4; sid: 2009001000; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v13b -- Vaska]"; flow: established,to_client; content: "|6183EF4F6068|"; content: "|FFD7|"; distance: 4; within: 6; sid: 2009001001; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v13b -- Vaska]"; flow: established,to_client; content: "|6183EF4F6068|"; content: "|FFD7B8|"; distance: 4; within: 7; content: "|3D|"; distance: 4; within: 5; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3|"; distance: 1; within: 4; sid: 2009001002; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v15 (Private) -- Vaska]"; flow: established,to_client; content: "|832C244F68|"; content: "|FF542404834424044FB8|"; distance: 4; within: 14; content: "|3D|"; distance: 4; within: 5; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3|"; distance: 1; within: 4; sid: 2009001003; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v15 -- Vaska]"; flow: established,to_client; content: "|832C244F68|"; content: "|FF542404834424044F|"; distance: 4; within: 13; sid: 2009001004; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v16 - Vaska]"; flow: established,to_client; content: "|33D068|"; content: "|FFD2|"; distance: 4; within: 6; sid: 2009001005; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v16 - Vaska]"; flow: established,to_client; content: "|33D068|"; content: "|FFD2B8|"; distance: 4; within: 7; content: "|3D|"; distance: 4; within: 5; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3|"; distance: 1; within: 4; sid: 2009001006; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v16b v16c -- Vaska]"; flow: established,to_client; content: "|8BC70304242BC78038500F851B8B1FFF68|"; sid: 2009001007; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v16b v16c -- Vaska]"; flow: established,to_client; content: "|8BC70304242BC78038500F851B8B1FFF68|"; content: "|B8|"; distance: 4; within: 5; content: "|3D|"; distance: 4; within: 5; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3|"; distance: 1; within: 4; sid: 2009001008; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v16d -- Vaska]"; flow: established,to_client; content: "|60906161807FF04590600F851B8B1FFF68|"; sid: 2009001009; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor V16d - Vaska]"; flow: established,to_client; content: "|60906161807FF04590600F851B8B1FFF68|"; content: "|B8|"; distance: 4; within: 5; content: "|903D|"; distance: 4; within: 6; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3B8|"; distance: 1; within: 5; content: "|903D|"; distance: 4; within: 6; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3|"; distance: 1; within: 4; sid: 2009001010; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v16x -- Vaska]"; flow: established,to_client; content: "|60906161807FF04590600F851B8B1FFF68|"; content: "|C3|"; distance: 4; within: 5; sid: 2009001011; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v1 - Vaska]"; flow: established,to_client; content: "|90589050908B00903C5090580F8567D6EF115068|"; sid: 2009001012; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v1 - Vaska]"; flow: established,to_client; content: "|90589050908B00903C5090580F8567D6EF115068|"; content: "|B8|"; distance: 4; within: 5; content: "|3D|"; distance: 4; within: 5; content: "|74068030|"; distance: 4; within: 8; content: "|40EBF3|"; distance: 1; within: 4; sid: 2009001013; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v20 (Hide EP) -- Vaska]"; flow: established,to_client; content: "|F7D183F1FF6A00F7D183F1FF810424DC20|"; content: "|00F7D183F1FFE800000000F7D183F1FFC3|"; distance: 1; within: 18; sid: 2009001014; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RCryptor v20 -- Vaska]"; flow: established,to_client; content: "|F7D183F1FF6A00F7D183F1FF810424|"; content: "|020000F7D183F1FF59BA3221|"; distance: 1; within: 13; content: "|00F7D183F1FFF7D183F1FF8002E3F7D183F1FFC00A05F7D183F1FF80026FF7D183F1FF8032A4F7D183F1FF80022DF7D183F1FF424985C975CD1C4F8D5BFD621E1C4F8D5BFD4D9DB9|"; distance: 1; within: 73; content: "|1E1C4F8D5BFD221C4F8D5BFD8EA2B9B9E283DBE2E54DCD1EBF60AB1F4DDB1E1E3D1E921B8EDC7DECA4E24DE520C6CCB28EEC2D7DDC1C4F8D5BFD83568EE03A7DD08E9D6E7DD64D2506C2AB20CC3A4D2D9D6B0B8145CC184D2D1FA1A16BC2CCF7E24D2D9E8B8BCCDE2E2DF71EAB7D4592308EE6B97DD68E9D27DAFDFD1E1E8EDFB87DCF8EA34D7DDC1C4F8D5BFD33D71E1E1EA60B41A1A642616B416B4C451E21F626BCE2621E621E621E236359|"; distance: 3; within: 176; content: "|1E621E621E33D71E1E1E856BC241ABC29F236BC241A11EC0FDF0FD3020339E1E1E1E85A20B8BC22741EBA1A2C21EC0FDF0FD30621E337E1E1E1EC62D42AB9F236BC241A11EC0FDF0FD30C0FDF08E1D1C4F8D5BFDE000335E1E1E1EBF0BECC2E642A2C2451EC0FDF0FD30CE36CCF21C4F8D5BFD|"; distance: 1; within: 116; sid: 2009001015; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RE-Crypt v07x - Crudd [RET] (h1)]"; flow: established,to_client; content: "|60E8000000005D81EDF31D4000B97B0900008DBD3B1E40008BF76160E8000000005D558104240A000000C38BF581C5|"; content: "|0000896D348975388B7D3881E700FFFFFF81C74800000047037D608B4D5C83F9007E0F8B|"; distance: 2; within: 38; sid: 2009001016; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RE-Crypt v07x - Crudd [RET] (h2)]"; flow: established,to_client; content: "|60E8000000005D558104240A000000C38BF581C5|"; content: "|0000896D348975388B7D3881E700FFFFFF81C74800000047037D608B4D5C83F9007E0F8B17335558891783C70483C1FCEBEC8B|"; distance: 2; within: 53; sid: 2009001017; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Reflexive Arcade Wrapper]"; flow: established,to_client; content: "|558BEC6AFF68986842006814FA410064A100000000506489250000000083EC585356578965E8FF15F850420033D28AD489153CE842008BC881E1FF000000890D38E84200C1E10803CA890D34E84200C1E810A330E8|"; sid: 2009001018; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Reg2Exe 220221 - by Jan Vorel]"; flow: established,to_client; content: "|6A00E87D120000A3A0444000E8791200006A0A506A00FF35A0444000E80F00000050E869120000CCCCCCCCCCCCCCCCCC682C020000680000000068B0444000E83A12000083C40C8B442404A3B8444000680000000068A00F00006800000000E832120000A3B044400068F401000068BC444000FF35B8444000E81E120000B8BC44400089C18A304080FE5C750289C180FE0075F1C60100E8EC180000E828160000E84A1200006800FA00006808000000FF35B0444000E8E7110000A3B44440008B15D4464000E8650A0000BB00001000B801000000E8720A00007409C7000100000083C004A3D4464000FF35B4444000E8260500008D0DB84640005AE8CF0F0000FF35B4444000FF35B8464000E8EE0600008D0DB44640005AE8|"; sid: 2009001019; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Reg2Exe 222223 - by Jan Vorel]"; flow: established,to_client; content: "|6A00E82F1E0000A3C4354000E82B1E00006A0A506A00FF35C4354000E80700000050E81B1E0000CC6848000000680000000068C8354000E87616000083C40C8B442404A3CC354000680000000068A00F00006800000000E8EC1D0000A3C8354000E8621D0000E8921A0000E880160000E8131400006801000000680836400068000000008B1508364000E8713F0000B800001000BB01000000E8823F0000FF3548314000B800010000E80D1300008D0DEC3540005AE8F21300006800010000FF35EC354000E8841D0000A3F4354000FF3548314000FF35F4354000FF35EC354000E8|"; sid: 2009001020; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Reg2Exe 224 - by Jan Vorel]"; flow: established,to_client; content: "|6A00E8CF200000A3F4454000E8CB2000006A0A506A00FF35F4454000E80700000050E8BB200000CC6848000000680000000068F8454000E80619000083C40C8B442404A3FC454000680000000068A00F00006800000000E88C200000A3F8454000E802200000E8321D0000E820190000E8A31600006801000000683846400068000000008B1538464000E8714F0000B800001000BB01000000E8824F0000FF3548414000B800010000E89D1500008D0D1C4640005AE8821600006800010000FF351C464000E824200000A324464000FF3548414000FF3524464000FF351C464000E8DC1000008D0D144640005AE84A16|"; sid: 2009001021; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Reg2Exe 225 - by Jan Vorel]"; flow: established,to_client; content: "|6868000000680000000068707D4000E8AE20000083C40C6800000000E8AF520000A3747D4000680000000068001000006800000000E89C520000A3707D4000E824500000E8E2480000E844340000E854280000E898270000E893200000680100000068D07D400068000000008B15D07D4000E8898F0000B8000010006801000000E89A8F0000FF35A47F40006800010000E83A2300008D0DA87D40005AE85E1F0000FF35A87D40006800010000E82A520000A3B47D4000FF35A47F4000FF35B47D4000FF35A87D4000E85C0C00008D0DA07D40005AE8261F0000FF35|"; sid: 2009001022; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ReversingLabsProtector 074 beta - Ap0x]"; flow: established,to_client; content: "|6800004100E801000000C3C3|"; sid: 2009001023; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RJcrush v100]"; flow: established,to_client; content: "|06FC8CC8BA|"; content: "|03D052BA|"; distance: 2; within: 6; content: "|52BA|"; distance: 2; within: 4; content: "|03C28BD805|"; distance: 2; within: 7; content: "|8EDB8EC033F633FFB9|"; distance: 2; within: 11; sid: 2009001024; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RJoiner 12 by Vaska (25032007 1658)]"; flow: established,to_client; content: "|558BEC81EC0C0200008D85F4FDFFFF56506804010000FF1514104000908D85F4FDFFFF50FF151010400090BE0020400090833EFF0F8484000000535733FF8D46|"; sid: 2009001025; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RJoiner by Vaska (Sign from pinch 25032007 1700)]"; flow: established,to_client; content: "|E803FDFFFF6A00E80C000000FF256C104000FF2570104000FF2574104000FF2578104000FF257C104000FF2580104000FF2584104000FF2588104000FF258C10|"; sid: 2009001026; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack -- Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4048DB52C0A00008D9D2202000033FFE8830100006A4068001000006800200C006A00FF95CD0900008985140A0000EB1460FFB5140A|"; sid: 2009001027; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack -- Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4048DB55A0A00008D9D4002000033FFE8830100006A4068001000006800200C006A00FF95EB09000089853A0A0000EB1460FFB53A0A|"; sid: 2009001028; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack -- Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404EB030C0000EB030C00008DB5CB2200008D9DF002000033FFE847020000EB031500006A4068001000006800200C006A00FF959B0A|"; sid: 2009001029; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4048DB52C0A00008D9D2202000033FFE8|"; content: "|6A4068|"; distance: 4; within: 7; content: "|68|"; distance: 4; within: 5; content: "|6A00FF95CD0900008985|"; distance: 4; within: 14; content: "|EB1460FFB5140A|"; distance: 4; within: 11; sid: 2009001030; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4048DB55A0A00008D9D4002000033FFE8|"; content: "|6A4068|"; distance: 4; within: 7; content: "|68|"; distance: 4; within: 5; content: "|6A00FF95EB0900008985|"; distance: 4; within: 14; content: "|EB1460FFB53A0A|"; distance: 4; within: 11; sid: 2009001031; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404EB03|"; content: "|EB03|"; distance: 3; within: 5; content: "|8DB5CB2200008D9DF002000033FFE8|"; distance: 3; within: 18; content: "|EB03|"; distance: 4; within: 6; content: "|6A4068|"; distance: 3; within: 6; content: "|68|"; distance: 4; within: 5; content: "|6A00FF959B0A|"; distance: 4; within: 10; sid: 2009001032; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack 10 beta - ap0x]"; flow: established,to_client; content: "|60E8000000008D6424048B6C24FC8DB54C0200008D9D1301000033FFEB0FFF743704FF3437FFD383C40883C708833C370075EB8D743704536A40680010000068|"; content: "|6A00FF95F90100008985480200005BFFB5|"; distance: 4; within: 21; sid: 2009001033; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack 10 beta - ap0x]"; flow: established,to_client; content: "|60E8000000008D6424048B6C24FC8DB54C0200008D9D1301000033FFEB0FFF743704FF3437FFD383C40883C708833C370075EB8D743704536A40680010000068|"; content: "|6A00FF95F90100008985480200005BFFB54802000056FFD383C4088BB5480200008BC6EB014080380175FA408B3883C004898544020000EB7A56FF95F10100008985400200008BC6EB4F8B85440200008B00A90000008074143500000080508B8544020000C70020202000EB06FFB544020000FFB540020000FF95F5010000890783C7048B8544020000EB014080380075FA4089854402000080380075ACEB0146803E0075FA46408B3883C004898544020000803E017581680040000068|"; distance: 4; within: 194; content: "|FFB548020000FF95FD0100006168|"; distance: 4; within: 18; content: "|C3608B7424248B7C|"; distance: 4; within: 12; sid: 2009001034; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack 11 BasicEdition - ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4048DB54A0200008D9D1101000033FFEB0FFF743704FF3437FFD383C40883C708833C370075EB8D743704536A40680010000068|"; sid: 2009001035; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack 118 (aPlib 043) - ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4|"; content: "|8DB51A0400008D9DC102000033FFE861010000EB0FFF743704FF3437FFD383C4|"; distance: 1; within: 33; content: "|83C7|"; distance: 1; within: 3; content: "|833C370075EB83BD0604000000740E83BD0A040000007405E8D70100008D743704536A|"; distance: 1; within: 36; content: "|68|"; distance: 1; within: 2; content: "|68|"; distance: 4; within: 5; content: "|6A00FF95A70300008985160400005BFFB51604000056FFD383C4|"; distance: 4; within: 30; content: "|8BB5160400008BC6EB01|"; distance: 1; within: 11; sid: 2009001036; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack 118 (LZMA 430) - ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4|"; content: "|8DB5210B00008D9DFF02000033FFE89F0100006A|"; distance: 1; within: 21; content: "|68|"; distance: 1; within: 2; content: "|68|"; distance: 4; within: 5; content: "|6A00FF95AA0A00008985F90A0000EB1460FFB5F90A0000FF3437FF743704FFD36183C7|"; distance: 4; within: 39; content: "|833C370075E683BD0D0B000000740E83BD110B0000007405E8F60100008D743704536A|"; distance: 1; within: 36; content: "|68|"; distance: 1; within: 2; content: "|68|"; distance: 4; within: 5; content: "|6A00FF95AA0A000089851D0B00005B60FFB5F90A000056FFB51D0B0000FFD3618BB51D0B00008BC6EB01|"; distance: 4; within: 46; sid: 2009001037; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack 118 Dll (aPlib 043) - ap0x]"; flow: established,to_client; content: "|807C2408010F855C01000060E8000000008B2C2483C4|"; content: "|8DB51A0400008D9DC102000033FFE861010000EB0FFF743704FF3437FFD383C4|"; distance: 1; within: 33; content: "|83C7|"; distance: 1; within: 3; content: "|833C370075EB83BD0604000000740E83BD0A040000007405E8D70100008D743704536A|"; distance: 1; within: 36; content: "|68|"; distance: 1; within: 2; content: "|68|"; distance: 4; within: 5; content: "|6A|"; distance: 4; within: 5; content: "|FF95A70300008985160400005BFFB51604000056FFD383C4|"; distance: 1; within: 25; content: "|8BB5160400008BC6EB01|"; distance: 1; within: 11; sid: 2009001038; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack 118 Dll (LZMA 430) - ap0x]"; flow: established,to_client; content: "|807C2408010F85|"; content: "|01000060E8000000008B2C2483C4048DB5|"; distance: 1; within: 18; content: "|8D9D|"; distance: 4; within: 6; content: "|33FFE89F0100006A|"; distance: 4; within: 12; content: "|68|"; distance: 1; within: 2; content: "|68|"; distance: 4; within: 5; content: "|6A|"; distance: 4; within: 5; content: "|FF95AA0A00008985F90A0000EB1460FFB5F90A0000FF3437FF743704FFD36183C708833C370075E683BD0D0B000000740E83BD110B0000007405E8F60100008D743704536A|"; distance: 1; within: 70; content: "|68|"; distance: 1; within: 2; content: "|68|"; distance: 4; within: 5; content: "|6A|"; distance: 4; within: 5; content: "|FF95AA0A000089851D0B00005B60FFB5F90A000056FFB51D0B0000FFD3618BB51D0B00008BC6EB01|"; distance: 1; within: 41; sid: 2009001039; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack 120 Basic Edition [aPLib] - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404837C242801750C8B442424898592050000EB0C8B858E0500008985920500008DB5BA0500008D9D4104000033FFE838010000EB1B8B8592050000FF743704010424FF3437010424FFD383C40883C708833C370075DF83BD9E05000000740E83BDA2050000007405E8D6010000|"; sid: 2009001040; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack 120 Basic Edition [LZMA] - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404837C242801750C8B44242489859C0C0000EB0C8B85980C000089859C0C00008DB5C40C00008D9D8204000033FF6A4068001000006800200C006A00FF952D0C00008985940C0000E859010000EB20608B859C0C0000FFB5940C0000FF3437010424FF743704010424FFD36183|"; sid: 2009001041; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack Full Edition 117 - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404|"; content: "|8DB5|"; distance: 15; within: 17; content: "|8D9D|"; distance: 4; within: 6; content: "|33FF|"; distance: 4; within: 6; sid: 2009001042; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack Full Edition 117 DLL - Ap0x]"; flow: established,to_client; content: "|807C2408010F85|"; content: "|60E8000000008B2C2483C4048DB5|"; distance: 4; within: 18; content: "|8D9D|"; distance: 4; within: 6; content: "|33FFE8|"; distance: 4; within: 7; sid: 2009001043; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack Full Edition 117 DLL [aPLib] - Ap0x]"; flow: established,to_client; content: "|807C2408010F85|"; content: "|60E8000000008B2C2483C4048DB5530300008D9D0202000033FFE8|"; distance: 4; within: 31; content: "|EB0FFF743704FF3437FFD383C40883C708833C370075|"; distance: 4; within: 26; sid: 2009001044; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack Full Edition 117 DLL [LZMA] - Ap0x]"; flow: established,to_client; content: "|807C2408010F85|"; content: "|60E8000000008B2C2483C4048DB55A0A00008D9D4002000033FFE8|"; distance: 4; within: 31; content: "|6A4068|"; distance: 4; within: 7; content: "|68|"; distance: 4; within: 5; content: "|6A00FF95EB0900008985|"; distance: 4; within: 14; sid: 2009001045; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack Full Edition 117 iBox [aPLib] - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404|"; content: "|8DB5792900008D9D2C03000033FF|"; distance: 15; within: 29; content: "|EB0FFF743704FF34|"; distance: 15; within: 23; sid: 2009001046; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack Full Edition 117 iBox [LZMA] - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404|"; content: "|8DB5673000008D9D6603000033FF|"; distance: 15; within: 29; content: "|6A4068|"; distance: 10; within: 13; content: "|68|"; distance: 4; within: 5; content: "|6A|"; distance: 4; within: 5; sid: 2009001047; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack Full Edition 117 [aPLib] - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404|"; content: "|8DB5741F00008D9D1E03000033FF|"; distance: 15; within: 29; content: "|EB0FFF743704FF34|"; distance: 15; within: 23; sid: 2009001048; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack Full Edition 117 [LZMA] - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404|"; content: "|8DB5732600008D9D5803000033FF|"; distance: 15; within: 29; content: "|6A4068|"; distance: 10; within: 13; content: "|68|"; distance: 4; within: 5; content: "|6A|"; distance: 4; within: 5; sid: 2009001049; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack V10beta - ap0x]"; flow: established,to_client; content: "|60E8000000008D6424048B6C24FC8DB54C0200008D9D1301000033FFEB0FFF743704FF3437FFD383C40883C708833C370075EB|"; sid: 2009001050; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack V111 - ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4048DB54A0200008D9D1101000033FFEB0FFF743704FF3437FFD383C40883C708833C370075EB|"; sid: 2009001051; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack V115-V117 (aPlib 043) - ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4048DB5|"; content: "|8D9D|"; distance: 4; within: 6; content: "|33FFE845010000EB0FFF743704FF3437FFD383C40883C708833C370075EB|"; distance: 4; within: 34; sid: 2009001052; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack V115-V117 (LZMA 430) - ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4048DB5|"; content: "|8D9D|"; distance: 4; within: 6; content: "|33FFE8830100006A|"; distance: 4; within: 12; content: "|68|"; distance: 1; within: 2; content: "|68|"; distance: 4; within: 5; content: "|6A|"; distance: 4; within: 5; content: "|FF95|"; distance: 1; within: 3; content: "|8985|"; distance: 4; within: 6; content: "|EB14|"; distance: 4; within: 6; sid: 2009001053; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack V115-V117 Dll - ap0x]"; flow: established,to_client; content: "|807C2408010F85|"; content: "|01000060E8000000008B2C2483C4048DB5|"; distance: 1; within: 18; content: "|8D9D|"; distance: 4; within: 6; content: "|33FFE8|"; distance: 4; within: 7; sid: 2009001054; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack v118 Basic DLL [aPLib] - Ap0x]"; flow: established,to_client; content: "|807C2408010F85|"; content: "|60E8000000008B2C2483C4048DB51A0400008D9DC102000033FFE861010000EB0FFF743704FF3437FFD383C40883C708833C370075EB83BD0604000000740E83|"; distance: 4; within: 68; sid: 2009001055; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack v118 Basic DLL [LZMA] - Ap0x]"; flow: established,to_client; content: "|807C2408010F85|"; content: "|60E8000000008B2C2483C4048DB5210B00008D9DFF02000033FFE89F0100006A4068001000006800200C006A00FF95AA0A00008985F90A0000EB1460FFB5F90A|"; distance: 4; within: 68; sid: 2009001056; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack v118 Basic [aPLib] - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4048DB51A0400008D9DC102000033FFE861010000EB0FFF743704FF3437FFD383C40883C708833C370075EB83BD0604000000740E83|"; sid: 2009001057; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack v118 Basic [LZMA] - Ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C4048DB5210B00008D9DFF02000033FFE89F0100006A4068001000006800200C006A00FF95AA0A00008985F90A0000EB1460FFB5F90A|"; sid: 2009001058; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack V119 (aPlib 043) - ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404837C242801750C8B44242489853C040000EB0C8B853804000089853C0400008DB5600400008D9DEB02000033FFE852010000EB1B8B853C040000FF743704010424FF3437010424FFD383C40883C708833C370075DF83BD4804000000740E83BD4C040000007405E8B80100008D743704536A40680010000068|"; content: "|6A00FF95D103000089855C0400005BFFB55C04000056FFD383C4088BB55C0400008BC6EB014080380175FA408B3803BD3C04000083C004898558040000E99400000056FF95C903000085C00F84B40000008985540400008BC6EB5B8B85580400008B00A90000008074143500000080508B8558040000C70020202000EB06FFB558040000FFB554040000FF95CD03000085C07471890783C7048B8558040000EB014080380075FA4089855804000066817802008074A580380075A0EB0146803E0075FA46408B3803BD3C04000083C004898558040000803E010F8563FFFFFF680040000068|"; distance: 4; within: 233; content: "|FFB55C040000FF95D5030000E83D000000E82401000061E9|"; distance: 4; within: 28; content: "|61C3|"; distance: 4; within: 6; sid: 2009001059; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack V119 (LZMA 430) - ap0x]"; flow: established,to_client; content: "|60E8000000008B2C2483C404837C242801750C8B4424248985490B0000EB0C8B85450B00008985490B00008DB56D0B00008D9D2F03000033FF6A4068001000006800200C006A00FF95DA0A00008985410B0000E876010000EB20608B85490B0000FFB5410B0000FF3437010424FF743704010424FFD36183C708833C370075DA83BD550B000000740E83BD590B0000007405E8D70100008D743704536A40680010000068|"; content: "|6A00FF95DA0A00008985690B00005B60FFB5410B000056FFB5690B0000FFD3618BB5690B00008BC6EB014080380175FA408B3803BD490B000083C0048985650B0000E99800000056FF95D20A00008985610B000085C00F84C80000008BC6EB5F8B85650B00008B00A90000008074143500000080508B85650B0000C70020202000EB06FFB5650B0000FFB5610B0000FF95D60A000085C00F8487000000890783C7048B85650B0000EB014080380075FA408985650B000066817802008074A1803800759CEB0146803E0075FA46408B3803BD490B000083C0048985650B0000803E010F855FFFFFFF680040000068|"; distance: 4; within: 242; content: "|FFB5690B0000FF95DE0A000068004000006800200C00FFB5410B0000FF95DE0A0000E83D000000E82401000061E9|"; distance: 4; within: 50; content: "|61C3|"; distance: 4; within: 6; sid: 2009001060; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack V119 Dll (aPlib 043) - ap0x]"; flow: established,to_client; content: "|807C2408010F858901000060E8000000008B2C2483C404837C242801750C8B44242489853C040000EB0C8B853804000089853C0400008DB5600400008D9DEB02000033FFE852010000EB1B8B853C040000FF743704010424FF3437010424FFD383C40883C708833C370075DF83BD4804000000740E83BD4C040000007405E8B80100008D743704536A40680010000068|"; content: "|6A00FF95D103000089855C0400005BFFB55C04000056FFD383C4088BB55C0400008BC6EB014080380175FA408B3803BD3C04000083C004898558040000E99400000056FF95C903000085C00F84B40000008985540400008BC6EB5B8B85580400008B00A90000008074143500000080508B8558040000C70020202000EB06FFB558040000FFB554040000FF95CD03000085C07471890783C7048B8558040000EB014080380075FA4089855804000066817802008074A580380075A0EB0146803E0075FA46408B3803BD3C04000083C004898558040000803E010F8563FFFFFF680040000068|"; distance: 4; within: 233; content: "|FFB55C040000FF95D5030000E83D000000E82401000061E9|"; distance: 4; within: 28; content: "|61C3|"; distance: 4; within: 6; sid: 2009001061; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RLPack V119 Dll (LZMA 430) - ap0x]"; flow: established,to_client; content: "|807C2408010F85C701000060E8000000008B2C2483C404837C242801750C8B4424248985490B0000EB0C8B85450B00008985490B00008DB56D0B00008D9D2F03000033FF6A4068001000006800200C006A00FF95DA0A00008985410B0000E876010000EB20608B85490B0000FFB5410B0000FF3437010424FF743704010424FFD36183C708833C370075DA83BD550B000000740E83BD590B0000007405E8D70100008D743704536A40680010000068|"; content: "|6A00FF95DA0A00008985690B00005B60FFB5410B000056FFB5690B0000FFD3618BB5690B00008BC6EB014080380175FA408B3803BD490B000083C0048985650B0000E99800000056FF95D20A00008985610B000085C00F84C80000008BC6EB5F8B85650B00008B00A90000008074143500000080508B85650B0000C70020202000EB06FFB5650B0000FFB5610B0000FF95D60A000085C00F8487000000890783C7048B85650B0000EB014080380075FA408985650B000066817802008074A1803800759CEB0146803E0075FA46408B3803BD490B000083C0048985650B0000803E010F855FFFFFFF680040000068|"; distance: 4; within: 242; content: "|FFB5690B0000FF95DE0A000068004000006800200C00FFB5410B0000FF95DE0A0000E83D000000E82401000061E9|"; distance: 4; within: 50; content: "|61C3|"; distance: 4; within: 6; sid: 2009001062; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ROD High TECH - Ayman]"; flow: established,to_client; content: "|608B151D134000F7E08D8283190000E8580C0000|"; sid: 2009001063; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[RPolyCrypt v 10 (personal polycryptor) sign from pinch]"; flow: established,to_client; content: "|5058979760618B04248078F36AE80000000058E800000000589191EB000F856BF4766FE80000000083C404E8000000005890E80000000083C4048B04248078F1|"; sid: 2009001064; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SafeGuard V10X - simonzh2000]"; flow: established,to_client; content: "|E800000000EB29|"; content: "|599C81C1E2FFFFFFEB01|"; distance: 26; within: 36; content: "|9DFFE1|"; distance: 1; within: 4; sid: 2009001065; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Sc Obfuscator - SuperCRacker]"; flow: established,to_client; content: "|6033C98B1D|"; content: "|031D|"; distance: 4; within: 6; content: "|8A041984C074093C|"; distance: 4; within: 12; content: "|740534|"; distance: 1; within: 4; content: "|880419413B0D|"; distance: 1; within: 7; content: "|75E7A1|"; distance: 4; within: 7; content: "|0105|"; distance: 4; within: 6; content: "|61FF25|"; distance: 4; within: 7; content: "|0000|"; distance: 4; within: 6; sid: 2009001066; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SDC 12 (Self Decrypting Binary Generator) - by Claes M Nyberg]"; flow: established,to_client; content: "|5589E583EC08C7042401000000FF15A0914000E8DBFEFFFF5589E55383EC148B45088B008B003D910000C0773B3D8D0000C0724BBB01000000C744240400000000C7042408000000E8CE24000083F8010F84C400000085C00F85A900000031C083C4145B5DC204003D940000C074563D960000C0741E3D930000C075E1EBB53D050000C08DB4260000000074433D1D0000C075CAC744240400000000C7042404000000E87324000083F8010F849900000085C074A9C7042404000000FFD0B8FFFFFFFFEB9B31DB8D742600E969FFFFFFC744240400000000C704240B000000E83724000083F801747F85C00F846DFFFFFFC704240B0000008D7600FFD0B8FFFFFFFFE959FFFFFFC7042408000000FFD0B8FFFFFFFFE946FFFFFFC744240401000000C7042408000000E8ED230000B8FFFFFFFF85DB0F8425FFFFFFE8DB150000B8FFFFFFFFE916FFFFFFC744240401000000C7042404000000E8BD230000B8FFFFFFFFE9F8FEFFFFC744240401000000C704240B000000E89F230000B8FFFFFFFFE9DAFEFFFF|"; sid: 2009001067; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SDProtect - Randy Li]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|688888880864A10000000050648925000000005864A300000000585858588BE8E83B000000E801000000FF5805|"; distance: 4; within: 49; sid: 2009001068; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SDProtector 1x - Randy Li]"; flow: established,to_client; content: "|558BEC6AFF681D321305688888880864A10000000050648925000000005864A300000000585858588BE8E83B000000E801000000FF580553000000518B4C24108981B8000000B85501000089412033C08941048941|"; sid: 2009001069; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SDProtector BasicPro Edition 110 - Randy Li]"; flow: established,to_client; content: "|558BEC6AFF681D321305688888880864A10000000050648925000000005864A300000000585858588BE85083EC0864A10000000064FF35000000006489250000000083C4085064FF35000000006489250000000064|"; sid: 2009001070; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SDProtector BasicPro Edition 112 - Randy Li]"; flow: established,to_client; content: "|558BEC6AFF681D321305688888880864A10000000050648925000000005864A300000000585858588BE8E83B000000E801000000FF580553000000518B4C24108981B8000000B85501000089412033C089410489410889410C89411059C3C3C3C3C3C3C3C3C3C3C3C3C333C064FF306489209C804C2401019D9090C3C3C3C3C3C3C3C3C3C3C3C3648F005874077505193267E8E874277525EB00EBFC683944CD00599C50740F750DE859C20400558BECE9FAFFFF0EE8EFFFFFFF56575378037901E868A2AF470159E801000000FF58057B03000003C874C475C2E80000000000000000000000000000000000000000000000000000000000000000000000000000000000E2|"; sid: 2009001071; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SDProtector Pro Edition 116 - Randy Li]"; flow: established,to_client; content: "|558BEC6AFF681D321305688888880864A10000000050648925000000005864A300000000585858588BE8E83B000000E801000000FF580553000000518B4C24108981B8000000B85501000089411833C08941048941|"; sid: 2009001072; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SDProtector Pro Edition 116 - Randy Li]"; flow: established,to_client; content: "|558BEC6AFF681D321305688888880864A10000000050648925000000005864A300000000585858588BE8E83B000000E801000000FF580553000000518B4C24108981B8000000B85501000089411833C089410489410889410C89411059C3C3C3C3C3C3C3C3C3C3C3C3C333C064FF306489209C804C2401019D9090C3C3C3C3C3C3C3C3C3C3C3C3648F005874077505193267E8E874277525EB00EBFC683944CD00599C50740F750DE859C20400558BECE9FAFFFF0EE8EFFFFFFF56575378037901E868A2AF470159E801000000FF58059303000003C874C475C2E8|"; sid: 2009001073; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SDProtector V11x - Randy Li]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|688888880864A1|"; distance: 4; within: 11; sid: 2009001074; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SEA-AXE]"; flow: established,to_client; content: "|FCBC|"; content: "|0E1FE8|"; distance: 2; within: 5; content: "|26A1|"; distance: 2; within: 4; content: "|8B1E|"; distance: 2; within: 4; content: "|2BC38EC0B1|"; distance: 2; within: 7; content: "|D3E3|"; distance: 1; within: 3; sid: 2009001075; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SEA-AXE v22]"; flow: established,to_client; content: "|FCBC|"; content: "|0E1FA3|"; distance: 2; within: 5; content: "|E8|"; distance: 2; within: 3; content: "|A1|"; distance: 2; within: 3; content: "|8B|"; distance: 2; within: 3; content: "|2BC38EC0B103D3E38BCBBF|"; distance: 3; within: 14; content: "|8BF7F3A5|"; distance: 2; within: 6; sid: 2009001076; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SecuPack v15]"; flow: established,to_client; content: "|558BEC83C4F053565733C08945F0B8CC3A40|"; content: "|E8E0FCFFFF33C05568EA3C40|"; distance: 1; within: 13; content: "|64FF306489206A|"; distance: 1; within: 8; content: "|6880|"; distance: 1; within: 3; content: "|6A036A|"; distance: 3; within: 6; content: "|6A01|"; distance: 1; within: 3; content: "|80|"; distance: 3; within: 4; sid: 2009001077; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SecureEXE 30 - ZipWorx]"; flow: established,to_client; content: "|E9B8000000|"; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|000000000000|"; distance: 3; within: 9; sid: 2009001078; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SecurePE 1X - wwwdeepzoneorg]"; flow: established,to_client; content: "|8B0424E8000000005D81ED4C2F40008985612F40008D9D652F400053C3000000008DB5BA2F40008BFEBB652F4000B9C6010000AD2BC3C1C00333C3AB4381FB8E2F40007505BB652F4000E2E789AD1A31400089AD5534400089AD683440008D85BA2F400050C3|"; sid: 2009001079; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Securom7 - Sony DADC]"; flow: established,to_client; content: "|B8|"; content: "|8B|"; distance: 4; within: 5; content: "|0A|"; distance: 4; within: 5; content: "|E8|"; distance: 6; within: 7; sid: 2009001080; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SEN Debug Protector]"; flow: established,to_client; content: "|BB|"; content: "|00|"; distance: 4; within: 5; content: "|29|"; distance: 5; within: 6; content: "|4EE8|"; distance: 2; within: 4; sid: 2009001081; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Sentinel SuperPro (Automatic Protection) v640 - Safenet]"; flow: established,to_client; content: "|68|"; content: "|6A016A00FF15|"; distance: 4; within: 10; content: "|A3|"; distance: 4; within: 5; content: "|FF15|"; distance: 4; within: 6; content: "|33C93DB7000000A1|"; distance: 4; within: 12; content: "|0F94C185C0890D|"; distance: 4; within: 11; content: "|0F85|"; distance: 4; within: 6; content: "|5556C705|"; distance: 4; within: 8; content: "|01000000FF15|"; distance: 4; within: 10; content: "|0105|"; distance: 4; within: 6; content: "|FF15|"; distance: 4; within: 6; sid: 2009001082; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Sentinel SuperPro (Automatic Protection) v641 - Safenet]"; flow: established,to_client; content: "|A1|"; content: "|558B|"; distance: 4; within: 6; content: "|85C074|"; distance: 3; within: 6; content: "|85ED75|"; distance: 1; within: 4; content: "|A1|"; distance: 1; within: 2; content: "|5055FF15|"; distance: 4; within: 8; content: "|8B0D|"; distance: 4; within: 6; content: "|5551FF15|"; distance: 4; within: 8; content: "|85C074|"; distance: 4; within: 7; content: "|8B15|"; distance: 1; within: 3; content: "|52FF15|"; distance: 4; within: 7; content: "|6A006A0068|"; distance: 4; within: 9; content: "|E8|"; distance: 4; within: 5; content: "|B8010000005DC20C00|"; distance: 4; within: 13; sid: 2009001083; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Sexe Crypter 11 - by santasdad]"; flow: established,to_client; content: "|558BEC83C4EC53565733C08945ECB8D8390010E830FAFFFF33C05568D43A001064FF306489|"; content: "|E43A0010A10057001050E8CCFAFFFF8BD853A10057001050E8FEFAFFFF8BF853A10057001050E8C8FAFFFF8BD853E8C8FAFFFF8BF085F674268BD74AB814570010E8ADF6FFFFB814570010E89BF6FFFF8BCF8BD6E8DAFAFFFF53E884FAFFFF8D4DECBAF83A0010A114570010E80AFBFFFF8B55ECB814570010E865F5FFFFB814570010E863F6FFFFE852FCFFFF33C05A595964891068DB3A00108D45ECE8EDF4FFFFC3E983EFFFFFEBF05F5E5BE8EDF3FFFF0053455454494E475300000000FFFFFFFF120000006B7574683736676262673637347638386779|"; distance: 4; within: 221; sid: 2009001084; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Shegerd Dongle V478 - MSCo]"; flow: established,to_client; content: "|E832000000B8|"; content: "|8B18C1CB0589DA368B4C240C|"; distance: 4; within: 16; sid: 2009001085; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ShellModify 01 - pll621]"; flow: established,to_client; content: "|558BEC6AFF6898664100683C3D410064A100000000|"; sid: 2009001086; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Shrink v10]"; flow: established,to_client; content: "|509CFCBE|"; content: "|BF|"; distance: 2; within: 3; content: "|57B9|"; distance: 2; within: 4; content: "|F3A48B|"; distance: 2; within: 5; content: "|BE|"; distance: 3; within: 4; content: "|BF|"; distance: 2; within: 3; content: "|F3A4C3|"; distance: 2; within: 5; sid: 2009001087; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Shrink v20]"; flow: established,to_client; content: "|E9|"; content: "|509CFCBE|"; distance: 2; within: 6; content: "|8BFE8CC805|"; distance: 2; within: 7; content: "|8EC00657B9|"; distance: 2; within: 7; sid: 2009001088; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Shrink Wrap v14]"; flow: established,to_client; content: "|58608BE85533F6684801|"; content: "|E84901|"; distance: 2; within: 5; content: "|EB|"; distance: 2; within: 3; sid: 2009001089; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Shrinker v32]"; flow: established,to_client; content: "|833D|"; content: "|558BEC56577565680001|"; distance: 5; within: 15; content: "|E8|"; distance: 2; within: 3; content: "|E6FFFF83C4048B7508A3|"; distance: 1; within: 11; content: "|85F6741D68FF|"; distance: 4; within: 10; sid: 2009001090; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Shrinker v33]"; flow: established,to_client; content: "|833D|"; content: "|0000558BEC565775656800010000E8|"; distance: 3; within: 18; sid: 2009001091; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Shrinker v34]"; flow: established,to_client; content: "|833DB4|"; content: "|558BEC5657756B6800010000E8|"; distance: 4; within: 17; content: "|0B000083C4048B7508A3B4|"; distance: 1; within: 12; content: "|85F67423837D0C03771D68FF|"; distance: 3; within: 15; sid: 2009001092; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Shrinker v34]"; flow: established,to_client; content: "|BB|"; content: "|BA|"; distance: 2; within: 3; content: "|81C30700B840B4B104D3E803C38CD9498EC126030E03002B|"; distance: 2; within: 26; sid: 2009001093; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SimbiOZ - Extranger]"; flow: established,to_client; content: "|5060E8000000005D81ED0710400068800B00008D851F10400050E8840B0000|"; sid: 2009001094; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SimbiOZ 13 - Extranger]"; flow: established,to_client; content: "|57578D7C240450B800|"; content: "|AB585FC3|"; distance: 3; within: 7; sid: 2009001095; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SimbiOZ Poly 21 - Extranger]"; flow: established,to_client; content: "|55508BC483C004C700|"; content: "|58C390|"; distance: 4; within: 7; sid: 2009001096; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SimbiOZ PolyCryptor vxx- Extranger]"; flow: established,to_client; content: "|5560E8000000005D81ED|"; content: "|8D85|"; distance: 4; within: 6; content: "|68|"; distance: 4; within: 5; content: "|50E8|"; distance: 4; within: 6; sid: 2009001097; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Simple UPX Cryptor V3042005 - MANtiCORE]"; flow: established,to_client; content: "|60B8|"; content: "|B9|"; distance: 4; within: 5; content: "|E2FA6168|"; distance: 8; within: 12; content: "|C3|"; distance: 4; within: 5; sid: 2009001098; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Simple UPX Cryptor v3042005 [multi layer encryption] -- MANtiCORE]"; flow: established,to_client; content: "|60B8|"; content: "|00B918000000803408|"; distance: 3; within: 12; content: "|E2FA6168|"; distance: 1; within: 5; content: "|00C3|"; distance: 3; within: 5; sid: 2009001099; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Simple UPX Cryptor v3042005 [multi layer encryption] -- MANtiCORE]"; flow: established,to_client; content: "|60B8|"; content: "|B918000000803408|"; distance: 4; within: 12; content: "|E2FA6168|"; distance: 1; within: 5; content: "|C3|"; distance: 4; within: 5; sid: 2009001100; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Simple UPX Cryptor v3042005 [One layer encryption] -- MANtiCORE]"; flow: established,to_client; content: "|60B8|"; content: "|00B9|"; distance: 3; within: 5; content: "|010000803408|"; distance: 1; within: 7; content: "|E2FA6168|"; distance: 1; within: 5; content: "|00C3|"; distance: 3; within: 5; sid: 2009001101; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SimplePack 10X - bagie]"; flow: established,to_client; content: "|60E8000000005B8D5BFA6A00FF93|"; content: "|000089C58B7D3C8D743D008DBEF80000008B868800000009C0|"; distance: 2; within: 27; sid: 2009001102; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SimplePack 111 Method 1 - bagie[TMX]]"; flow: established,to_client; content: "|60E8000000005B8D5BFABD0000|"; content: "|8B7D3C8D743D008DBEF80000000FB776064E8B471009C074550FB7472209C0744D6A046800100000FF77106A00FF933803000050565789EE03770C8B4F1089C789C8C1E902FC|"; distance: 2; within: 72; sid: 2009001103; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SimplePack 111 Method 1 - bagie[TMX]]"; flow: established,to_client; content: "|60E8000000005B8D5BFABD0000|"; content: "|8B7D3C8D743D008DBEF80000000FB776064E8B471009C074550FB7472209C0744D6A046800100000FF77106A00FF933803000050565789EE03770C8B4F1089C789C8C1E902FCF3A589C183E103F3A45F5E8B042489EA03570CE83F010000586800400000FF771050FF933C03000083C7284E759EBE|"; distance: 2; within: 119; content: "|09F60F840C01000001EE8B4E0C09C90F84FF00000001E989CF57FF933003000009C0753D6A04680010000068001000006A00FF933803000089C68D836F020000575056FF93440300006A106A00566A00FF934803000089E5|"; distance: 4; within: 92; sid: 2009001104; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SimplePack 111 Method 2(NT) - bagie[TMX]]"; flow: established,to_client; content: "|4D5A90EB010052E989010000504500004C010200000000000000000000000000E0000F030B01|"; sid: 2009001105; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SimplePack V11X-V12X (Method1) - bagie]"; flow: established,to_client; content: "|60E8000000005B8D5BFABD|"; content: "|8B7D3C8D743D008DBEF80000000FB776064E8B471009C0|"; distance: 4; within: 27; sid: 2009001106; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SkD Undetectabler 3 (No FSG 2 Method) - SkD]"; flow: established,to_client; content: "|558BEC81EC1002000068000200008D85F8FDFFFF506A00FF153810000150FF153C1000018D8DF8FDFFFF51E84FFBFFFF83C4048B15|"; content: "|16000152A1|"; distance: 1; within: 6; content: "|16000150E850FFFFFF83C408A3|"; distance: 1; within: 14; content: "|160001C785F4FDFFFF00000000EB0F8B8DF4FDFFFF83C101898DF4FDFFFF8B95F4FDFFFF3B15|"; distance: 1; within: 39; content: "|160001731C8B85F4FDFFFF8B0D|"; distance: 1; within: 14; content: "|1600018D54010781FA741000017502EB02EBC78B85F4FDFFFF50E8|"; distance: 1; within: 28; content: "|00000083C4048985F0FDFFFF8B8DF0FDFFFF894DFCC745F800000000EB098B55F883C2018955F88B45F83B85F4FDFFFF73158B4DFC034DF88B15|"; distance: 1; within: 59; content: "|1600010355F88A028801EBD7833D|"; distance: 1; within: 15; content: "|1600010074|"; distance: 1; within: 6; sid: 2009001107; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SkD Undetectabler Pro 20 (No UPX Method) - SkD]"; flow: established,to_client; content: "|558BEC83C4F0B8FC260010E8ECF3FFFF6A0FE815F5FFFFE864FDFFFFE8BBEDFFFF8D40|"; sid: 2009001108; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SLVc0deProtector 11x - SLV ICU]"; flow: established,to_client; content: "|E80000000058C600EBC6400108FFE0E94C|"; content: "|00|"; distance: 2; within: 3; sid: 2009001109; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SLVc0deProtector v11 - SLV]"; flow: established,to_client; content: "|E80000000058C600EBC6400108FFE0E94C|"; sid: 2009001110; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SmartE - Microsoft]"; flow: established,to_client; content: "|EB1503000000|"; content: "|0000000000000000000000680000000055E8000000005D81ED1D0000008BC555609C2B858F070000898583070000FF74242CE8BB0100000F822F060000E88E040000490F882306|"; distance: 1; within: 72; sid: 2009001111; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SmokesCrypt v12]"; flow: established,to_client; content: "|60B8|"; content: "|B8|"; distance: 4; within: 5; content: "|8A140880F2|"; distance: 4; within: 9; content: "|8814084183F9|"; distance: 1; within: 7; content: "|75F1|"; distance: 1; within: 3; sid: 2009001112; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Soft Defender v10 - v11]"; flow: established,to_client; content: "|74077505193267E8E8741F751DE8683944CD|"; content: "|599C50740A7508E859C204|"; distance: 1; within: 12; content: "|558BECE8F4FFFFFF565753780F790DE8349947493433EF313452472368A2AF470159E8|"; distance: 1; within: 36; content: "|5805BA01|"; distance: 4; within: 8; content: "|03C874BE75BCE8|"; distance: 2; within: 9; sid: 2009001113; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Soft Defender v11x - Randy Li]"; flow: established,to_client; content: "|74077505|"; content: "|741F751D|"; distance: 5; within: 9; content: "|68|"; distance: 1; within: 2; content: "|00599C50740A7508|"; distance: 3; within: 11; content: "|59C20400|"; distance: 1; within: 5; content: "|E8F4FFFFFF|"; distance: 3; within: 8; content: "|780F790D|"; distance: 3; within: 7; sid: 2009001114; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SoftDefender 1x - Randy Li]"; flow: established,to_client; content: "|74077505193267E8E8741F751DE8683944CD00599C50740A7508E859C20400558BECE8F4FFFFFF565753780F790DE8349947493433EF313452472368A2AF470159E801000000FF5805E601000003C874BD75BBE800|"; sid: 2009001115; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SoftDefender V11x - Randy Li]"; flow: established,to_client; content: "|74077505193267E8E8741F751DE8683944|"; sid: 2009001116; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SoftProtect - SoftProtectbyru]"; flow: established,to_client; content: "|EB01E360E803|"; content: "|D2EB0B58EB014840EB0135FFE0E76160E803|"; distance: 3; within: 21; content: "|83EB0EEB010C58EB013540EB0136FFE00B61EB01839CEB01D5EB08359DEB0189EB030BEBF7E8|"; distance: 3; within: 41; content: "|58E8|"; distance: 4; within: 6; content: "|5983010180395C|"; distance: 4; within: 11; sid: 2009001117; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SoftProtect - wwwsoftprotectbyru]"; flow: established,to_client; content: "|E8|"; content: "|8D|"; distance: 4; within: 5; content: "|C70000000000E8|"; distance: 5; within: 12; content: "|E8|"; distance: 4; within: 5; content: "|8D|"; distance: 4; within: 5; content: "|50E8|"; distance: 5; within: 7; content: "|83|"; distance: 4; within: 5; content: "|01|"; distance: 5; within: 6; sid: 2009001118; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SoftSentry v211]"; flow: established,to_client; content: "|558BEC83EC|"; content: "|535657E950|"; distance: 1; within: 6; sid: 2009001119; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SoftSentry v30]"; flow: established,to_client; content: "|558BEC83EC|"; content: "|535657E9B006|"; distance: 1; within: 7; sid: 2009001120; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Software Compress - BG Software]"; flow: established,to_client; content: "|E9BE000000608B7424248B7C2428FCB28033DBA4B302E86D00000073F633C9E864000000731C33C0E85B0000007323B30241B010E84F00000012C073F7753FAAEBD4E84D0000002BCB7510E842000000EB28ACD1E8|"; sid: 2009001121; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Software Compress V12 - BG Software Protect Technologies]"; flow: established,to_client; content: "|E9BE000000608B7424248B7C2428FCB28033DBA4B302E86D0000|"; sid: 2009001122; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Software Compress v12 - BG Software Protect Technologies]"; flow: established,to_client; content: "|E9BE000000608B7424248B7C2428FCB28033DBA4B302E86D00000073F633C9E864000000731C33C0E85B0000007323B30241B010E84F00000012C073F7753FAAEBD4E84D0000002BCB7510E842000000EB28ACD1E8744D13C9EB1C9148C1E008ACE82C0000003D007D0000730A80FC05730683F87F77024141958BC5B301568BF72BF0F3A45EEB8E02D275058A164612D2C333C941E8EEFFFFFF13C9E8E7FFFFFF72F2C32B7C2428897C241C61C360FF7424246A40FF951A0F41008944241C61C20400E800000000812C243A1041005DE800000000812C24310100008B852A0F4100290424|"; sid: 2009001123; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Software Compress v14 LITE - BG Software Protect Technologies]"; flow: established,to_client; content: "|E800000000812C24AA1A41005DE800000000832C246E8B855D1A41002904248B042489855D1A4100588B855D1A41008B503C03D08B928000000003D08B4A58898D491A41008B4A5C898D4D1A41008B4A60898D551A|"; sid: 2009001124; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Software Compress v14 LITE - BG Software Protect Technologies]"; flow: established,to_client; content: "|E800000000812C24AA1A41005DE800000000832C246E8B855D1A41002904248B042489855D1A4100588B855D1A41008B503C03D08B928000000003D08B4A58898D491A41008B4A5C898D4D1A41008B4A60898D551A41008B4A64898D511A41008B4A74898D591A41006800200000E8D2000000508D8D001C41005051E81B00000083C408588D78748DB5491A4100B918000000F3A405A400000050C3608B7424248B7C2428FCB28033DBA4B302E86D00000073F633C9E864000000731C33C0E85B0000007323B30241B010E84F00000012C073F7753FAAEBD4E84D0000002BCB7510E842000000EB28ACD1E8744D13C9EB1C9148C1E008ACE82C0000003D007D0000730A80FC05730683F87F77024141958BC5B301568BF72BF0F3A45EEB8E02D275058A164612D2C333C941E8EEFFFFFF13C9E8E7FFFFFF72F2C32B7C2428897C241C61C360FF7424246A40FF954D1A41008944241C61C204|"; sid: 2009001125; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SoftWrap]"; flow: established,to_client; content: "|525351565755E8|"; content: "|5D81ED36|"; distance: 4; within: 8; content: "|E8|"; distance: 3; within: 4; content: "|01|"; distance: 1; within: 2; content: "|60BA|"; distance: 2; within: 4; content: "|E8|"; distance: 4; within: 5; content: "|5F|"; distance: 4; within: 5; sid: 2009001126; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SOFTWrapper for Win9xNT (Evaluation Version)]"; flow: established,to_client; content: "|E8000000005D8BC52D|"; content: "|005081ED050000008BC52B85030F00008985030F00008BF003B50B0F00008BF803BD070F0000837F0C00742B56578B7F1003F88B761003F0833F00740C8B1E891F83C60483C704EBEF|"; distance: 3; within: 76; sid: 2009001127; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SPEC b2]"; flow: established,to_client; content: "|55575153E8|"; content: "|5D8BC581ED|"; distance: 4; within: 9; content: "|2B85|"; distance: 4; within: 6; content: "|83E8098985|"; distance: 4; within: 9; content: "|0FB6|"; distance: 4; within: 6; sid: 2009001128; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SPEC b3]"; flow: established,to_client; content: "|5B535045435DE8|"; content: "|5D8BC581ED412440|"; distance: 4; within: 12; content: "|2B85892640|"; distance: 1; within: 6; content: "|83E80B89858D2640|"; distance: 1; within: 9; content: "|0FB6B5912640|"; distance: 1; within: 7; content: "|8BFD|"; distance: 1; within: 3; sid: 2009001129; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Special EXE Password Protector v10]"; flow: established,to_client; content: "|60E8000000005D81ED0600000089AD8C0100008BC52B85FE75000089853E77|"; sid: 2009001130; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Special EXE Pasword Protector V101 (Eng) - Pavol Cerven]"; flow: established,to_client; content: "|60E8000000005D81ED0600000089AD8C0100008BC52B85FE75000089853E|"; sid: 2009001131; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Special EXE Pasword Protector v101 (Eng) - Pavol Cerven]"; flow: established,to_client; content: "|60E8000000005D81ED0600000089AD8C0100008BC52B85FE75000089853E7700008D95C67700008D8DFF77000055680020000051526A00FF95047A00005D6A00FF95FC7900008D8D607800008D9585010000556800|"; sid: 2009001132; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Splash Bitmap v100 (With Unpack Code) -- BoB Bobsoft]"; flow: established,to_client; content: "|E800000000608B6C24205581ED|"; content: "|8DBD|"; distance: 4; within: 6; content: "|8D8D|"; distance: 4; within: 6; content: "|29F931C0FCF3AA8B042448662500F06681384D5A75F48B483C813C015045000075E88985|"; distance: 4; within: 40; content: "|6A40|"; distance: 4; within: 6; sid: 2009001133; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Splash Bitmap v100 -- BoB Bobsoft]"; flow: established,to_client; content: "|E800000000608B6C24205581ED|"; content: "|8DBD|"; distance: 4; within: 6; content: "|8D8D|"; distance: 4; within: 6; content: "|29F931C0FCF3AA8B042448662500F06681384D5A75F48B483C813C015045000075E88985|"; distance: 4; within: 40; content: "|8DBD|"; distance: 4; within: 6; content: "|6A00|"; distance: 4; within: 6; sid: 2009001134; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Splasher v10 - v30]"; flow: established,to_client; content: "|9C608B442424E8|"; content: "|5D81ED|"; distance: 4; within: 7; content: "|50E8ED02|"; distance: 4; within: 8; content: "|8CC00F84|"; distance: 2; within: 6; sid: 2009001135; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Splice 11 - by Tw1sted L0gic]"; flow: established,to_client; content: "|68001A4000E8EEFFFFFF000000000000300000004000000000000000|"; content: "|00000000000001000000|"; distance: 16; within: 26; content: "|50726F6A6563743100|"; distance: 6; within: 15; content: "|0000000006000000AC29400007000000BC2840000700000074284000070000002C2840000700000008234000010000003821400000000000FFFFFFFFFFFFFFFF000000008C21400008|"; distance: 7; within: 80; content: "|400001000000AC194000000000000000000000000000AC1940004F00430050000000E7AF582F9A4C174DB7A9CA3E576FF776|"; distance: 1; within: 51; sid: 2009001136; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[StarForce 30 - StarForce Technology]"; flow: established,to_client; content: "|68|"; content: "|FF25|"; distance: 4; within: 6; content: "|63|"; distance: 2; within: 3; sid: 2009001137; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[StarForce ProActive 11 - StarForce Technology]"; flow: established,to_client; content: "|68|"; content: "|FF25|"; distance: 4; within: 6; content: "|57|"; distance: 2; within: 3; sid: 2009001138; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[StarForce Protection Driver - Protection Technology]"; flow: established,to_client; content: "|5768|"; content: "|0D01006800|"; distance: 1; within: 6; content: "|00E850|"; distance: 2; within: 5; content: "|FFFF68|"; distance: 1; within: 4; content: "|0068|"; distance: 3; within: 5; content: "|0068|"; distance: 3; within: 5; content: "|0068|"; distance: 3; within: 5; content: "|0068|"; distance: 3; within: 5; content: "|00|"; distance: 3; within: 4; sid: 2009001139; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[StarForce V1X-V3X - StarForce Copy Protection System]"; flow: established,to_client; content: "|68|"; content: "|FF25|"; distance: 4; within: 6; content: "|0000000000|"; distance: 4; within: 9; sid: 2009001140; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[StarForce V3X DLL - StarForce Copy Protection System]"; flow: established,to_client; content: "|E8|"; content: "|000000000000|"; distance: 4; within: 10; sid: 2009001141; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Stealth PE v11]"; flow: established,to_client; content: "|BA|"; content: "|00FFE2BA|"; distance: 3; within: 7; content: "|00B8|"; distance: 3; within: 5; content: "|890283C203B8|"; distance: 4; within: 10; content: "|890283C2FDFFE2|"; distance: 4; within: 11; sid: 2009001142; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[STNPEE 113]"; flow: established,to_client; content: "|555756525153E8000000005D8BD581ED973B4000|"; sid: 2009001143; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Stones PE Encryptor v10]"; flow: established,to_client; content: "|555756525153E8|"; content: "|5D8BD581ED633A40|"; distance: 4; within: 12; content: "|2B95C23A40|"; distance: 1; within: 6; content: "|83EA0B8995CB3A40|"; distance: 1; within: 9; content: "|8DB5CA3A40|"; distance: 1; within: 6; content: "|0FB636|"; distance: 1; within: 4; sid: 2009001144; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Stones PE Encryptor v113]"; flow: established,to_client; content: "|555756525153E8|"; content: "|5D8BD581ED973B40|"; distance: 4; within: 12; content: "|2B952D3C40|"; distance: 1; within: 6; content: "|83EA0B8995363C40|"; distance: 1; within: 9; content: "|0195243C40|"; distance: 1; within: 6; content: "|019528|"; distance: 1; within: 4; sid: 2009001145; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Stones PE Encryptor v20]"; flow: established,to_client; content: "|535152565755E8|"; content: "|5D81ED423040|"; distance: 4; within: 10; content: "|FF95323540|"; distance: 1; within: 6; content: "|B8373040|"; distance: 1; within: 5; content: "|03C52B851B3440|"; distance: 1; within: 8; content: "|8985273440|"; distance: 1; within: 6; content: "|83|"; distance: 1; within: 2; sid: 2009001146; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Stones PE Encruptor v113]"; flow: established,to_client; content: "|555756525153E8|"; content: "|5D8BD581|"; distance: 4; within: 8; sid: 2009001147; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[STUD RC4 10 Jamie Edition (ScanTime UnDetectable) - by MarjinZ]"; flow: established,to_client; content: "|682C114000E8F0FFFFFF00000000000030000000380000000000000037BB71ECA4E1984C9BFE8F0FFA6A07F6000000000000010000002020466F7220737475640020546F0000000006000000CC1A400007000000D4184000070000007C184000070000002C18400007000000E017400056423521F01F2A000000000000000000000000007E000000000000000000000000000A000904000000000000E8134000F413400000F0300000FFFFFF080000000100000000000000E90000000411400004114000C8104000780000007C00000081000000820000000000000000000000000000000000000061616100537475640000737475640000010001003016400000000000FFFFFFFFFFFFFFFF00000000B41640001030400007000000241240000E002000000000001C9E2100EC1140005C104000E41A40002C3440006817400058174000781740008C1740008C1040006210400092104000F81A400024194000981040009E104000770418FF041CFF0500002401000D1400781C400048214000|"; sid: 2009001148; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SuckStop v111]"; flow: established,to_client; content: "|EB|"; content: "|BE|"; distance: 3; within: 4; content: "|B430CD21EB|"; distance: 2; within: 7; content: "|9B|"; distance: 1; within: 2; sid: 2009001149; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SuperDAT]"; flow: established,to_client; content: "|558BEC6AFF6840F3420068A4BF420064A100000000506489250000000083EC585356578965E8FF1508F2420033D28AD48915604243008BC881E1FF000000890D|"; sid: 2009001150; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SVK Protector v132 (Eng) - Pavol Cerven]"; flow: established,to_client; content: "|60E8000000005D81ED06000000EB05B80636420064A023000000EB03C784E884C0EB03C784E97567B9490000008DB5C50200005680064446E2FA8B8DC10200005E55516A0056FF950C610000595D4085C0753C803E|"; sid: 2009001151; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SVK Protector v13x (Eng) - Pavol Cerven]"; flow: established,to_client; content: "|60E8000000005D81ED06000000EB05B8|"; content: "|420064A023000000EB03C784E884C0EB03C784E97567B9490000008DB5C50200005680064446E2FA8B8DC10200005E55516A0056FF950C610000595D4085C0753C803E|"; distance: 2; within: 69; sid: 2009001152; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SVK Protector V13X - Pavol Cerven]"; flow: established,to_client; content: "|60E8000000005D81ED06000000EB05B8|"; content: "|420064A023000000EB03C784E884C0EB03C784E97567B9490000008DB5C50200005680064446E2FA8B8DC10200005E55516A0056FF950C610000595D4085C0753C803E00740346EBF846E2E38BC58B4C24202B85BD0200008985B902000080BDB40200000175068B8D0C610000898DB50200008D850E0300008BDDFFE05568101000008D85B4000000508D85B4010000506A00FF95186100005D6AFFFF95106100004465627567676572206F7220746F6F6C20666F72206D6F6E69746F72696E672064657465637465642121210000000000000000000000000000000000000000000000000000000000000000|"; distance: 2; within: 239; sid: 2009001153; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SVK-Protector v1051]"; flow: established,to_client; content: "|60EB03C784E8EB03C7849AE8000000005D81ED10000000EB03C784E964A023000000EB|"; sid: 2009001154; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SVK-Protector v111]"; flow: established,to_client; content: "|60E8|"; content: "|5D81ED06|"; distance: 4; within: 8; content: "|64A023|"; distance: 3; within: 6; sid: 2009001155; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[SVK-Protector v132]"; flow: established,to_client; content: "|60E8000000005D81ED06000000EB05B80636420064A023|"; sid: 2009001156; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[T-PACK v05c -m1]"; flow: established,to_client; content: "|68|"; content: "|FD60BE|"; distance: 2; within: 5; content: "|BF|"; distance: 2; within: 3; content: "|B9|"; distance: 2; within: 3; content: "|F3A48BF7BF|"; distance: 2; within: 7; content: "|FC46E98EFE|"; distance: 2; within: 7; sid: 2009001157; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[T-PACK v05c -m2]"; flow: established,to_client; content: "|68|"; content: "|FD60BE|"; distance: 2; within: 5; content: "|BF|"; distance: 2; within: 3; content: "|B9|"; distance: 2; within: 3; content: "|F3A48BF7BF|"; distance: 2; within: 7; content: "|FC46E9CEFD|"; distance: 2; within: 7; sid: 2009001158; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock 051 - tE]"; flow: established,to_client; content: "|C1EE00668BC9EB01EB60EB01EB9CE8000000005E83C65E8BFE687901000059EB01EBAC54E8030000005CEB088D642404FF6424FC6A05D02C247201E80124245CF7DCEB02CD208D6424FEF7DCEB02CD20FEC8E80000000032C1EB02820DAAEB03820D58EB021D7A49EB05E8010000007FAE147EA077767574|"; sid: 2009001159; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock 096 - tE]"; flow: established,to_client; content: "|E959E4FFFF00000000000000|"; content: "|EE|"; distance: 4; within: 5; content: "|0000000000000000000E|"; distance: 2; within: 12; content: "|00FE|"; distance: 2; within: 4; content: "|00F6|"; distance: 2; within: 4; content: "|0000000000000000001B|"; distance: 2; within: 12; content: "|0006|"; distance: 2; within: 4; content: "|00000000000000000000000000000000000000000026|"; distance: 2; within: 24; content: "|000000000039|"; distance: 2; within: 8; content: "|000000000026|"; distance: 2; within: 8; content: "|000000000039|"; distance: 2; within: 8; content: "|00000000006B65726E656C33322E646C6C|"; distance: 2; within: 19; sid: 2009001160; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock 098 - tE]"; flow: established,to_client; content: "|E925E4FFFF000000|"; content: "|1E|"; distance: 4; within: 5; content: "|0000000000000000003E|"; distance: 2; within: 12; content: "|002E|"; distance: 2; within: 4; content: "|0026|"; distance: 2; within: 4; content: "|0000000000000000004B|"; distance: 2; within: 12; content: "|0036|"; distance: 2; within: 4; content: "|00000000000000000000000000000000000000000056|"; distance: 2; within: 24; content: "|000000000069|"; distance: 2; within: 8; content: "|000000000056|"; distance: 2; within: 8; content: "|000000000069|"; distance: 2; within: 8; content: "|00000000006B65726E656C33322E646C6C00757365|"; distance: 2; within: 23; sid: 2009001161; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock 098 Special Build - forgot heXer]"; flow: established,to_client; content: "|E999D7FFFF000000|"; content: "|AA|"; distance: 4; within: 5; content: "|000000000000000000CA|"; distance: 2; within: 12; sid: 2009001162; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock 099 - 10 private - tE]"; flow: established,to_client; content: "|E9|"; content: "|FFFF000000|"; distance: 2; within: 7; content: "|000000000000000000|"; distance: 7; within: 16; sid: 2009001163; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock 099 - tE]"; flow: established,to_client; content: "|E95EDFFFFF000000|"; content: "|E5|"; distance: 4; within: 5; content: "|00000000000000000005|"; distance: 2; within: 12; sid: 2009001164; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock 099c (Private ECLIPSE) - tE]"; flow: established,to_client; content: "|E93FDFFFFF000000|"; content: "|04|"; distance: 4; within: 5; content: "|00000000000000000024|"; distance: 2; within: 12; content: "|0014|"; distance: 2; within: 4; content: "|000C|"; distance: 2; within: 4; content: "|00000000000000000031|"; distance: 2; within: 12; content: "|001C|"; distance: 2; within: 4; content: "|0000000000000000000000000000000000000000003C|"; distance: 2; within: 24; content: "|00000000004F|"; distance: 2; within: 8; content: "|00000000003C|"; distance: 2; within: 8; content: "|00000000004F|"; distance: 2; within: 8; content: "|00000000006B65726E656C33322E646C6C00757365|"; distance: 2; within: 23; sid: 2009001165; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v041x]"; flow: established,to_client; content: "|668BC08D2424EB01EB60EB01EB9CE8000000005E83C6508BFE687801|"; content: "|59EB01EBAC54E803|"; distance: 2; within: 10; content: "|5CEB08|"; distance: 3; within: 6; sid: 2009001166; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v042]"; flow: established,to_client; content: "|C1EE00668BC9EB01EB60EB01EB9CE8000000005E83C6528BFE68790159EB01EBAC54E8035CEB08|"; sid: 2009001167; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v04x - v05x]"; flow: established,to_client; content: "|C1EE00668BC9EB01EB60EB01EB9CE8000000005E83C6|"; content: "|8BFE687901|"; distance: 1; within: 6; content: "|59EB01|"; distance: 2; within: 5; sid: 2009001168; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v051]"; flow: established,to_client; content: "|C1EE00668BC9EB01EB60EB01EB9CE8000000005E83C65E8BFE68790159EB01EBAC54E8035CEB08|"; sid: 2009001169; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v060]"; flow: established,to_client; content: "|E90000000060E8000000005883C008|"; sid: 2009001170; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v070]"; flow: established,to_client; content: "|60E8BD100000C383E200F975FA70|"; sid: 2009001171; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v071]"; flow: established,to_client; content: "|60E8ED100000C383|"; sid: 2009001172; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v071b2]"; flow: established,to_client; content: "|60E844110000C383|"; sid: 2009001173; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v071b7]"; flow: established,to_client; content: "|60E848110000C383|"; sid: 2009001174; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v080]"; flow: established,to_client; content: "|60E8F9110000C383|"; sid: 2009001175; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v085f]"; flow: established,to_client; content: "|60E802000000CD20E8000000005E2BC9587402|"; sid: 2009001176; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v098]"; flow: established,to_client; content: "|E925E4FFFF000000|"; content: "|1E|"; distance: 4; within: 5; sid: 2009001177; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v098 - tE]"; flow: established,to_client; content: "|E925E4FFFF000000|"; content: "|0000000000000000|"; distance: 8; within: 16; content: "|0000000000000000|"; distance: 12; within: 20; content: "|0000000000000000000000000000000000000000|"; distance: 8; within: 28; content: "|00000000|"; distance: 4; within: 8; content: "|00|"; distance: 4; within: 5; sid: 2009001178; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v099]"; flow: established,to_client; content: "|E9|"; content: "|FFFF000000|"; distance: 2; within: 7; content: "|00|"; distance: 7; within: 8; content: "|00|"; distance: 7; within: 8; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|0200|"; distance: 2; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00000000000000000000000000|"; distance: 3; within: 16; content: "|0000000000|"; distance: 3; within: 8; content: "|020000|"; distance: 2; within: 5; sid: 2009001179; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v099 Special Build - heXer forgot]"; flow: established,to_client; content: "|E95EDFFFFF000000|"; content: "|E5|"; distance: 4; within: 5; content: "|00000000000000000005|"; distance: 2; within: 12; content: "|00F5|"; distance: 2; within: 4; content: "|00ED|"; distance: 2; within: 4; content: "|00000000000000000012|"; distance: 2; within: 12; content: "|00FD|"; distance: 2; within: 4; content: "|0000000000000000000000000000000000000000001D|"; distance: 2; within: 24; content: "|000000000030|"; distance: 2; within: 8; content: "|0000|"; distance: 2; within: 4; sid: 2009001180; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[tElock v099 Special Build - heXer forgot]"; flow: established,to_client; content: "|E95EDFFFFF000000|"; content: "|E5|"; distance: 4; within: 5; content: "|00000000000000000005|"; distance: 2; within: 12; content: "|00F5|"; distance: 2; within: 4; content: "|00ED|"; distance: 2; within: 4; content: "|00000000000000000012|"; distance: 2; within: 12; content: "|00FD|"; distance: 2; within: 4; content: "|0000000000000000000000000000000000000000001D|"; distance: 2; within: 24; content: "|000000000030|"; distance: 2; within: 8; content: "|00000000001D|"; distance: 2; within: 8; content: "|000000000030|"; distance: 2; within: 8; content: "|0000000000|"; distance: 2; within: 7; sid: 2009001181; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[The Guard Library]"; flow: established,to_client; content: "|50E8|"; content: "|5825|"; distance: 4; within: 6; content: "|F0FFFF8BC883C1605183C04083EA0652FF209DC3|"; distance: 1; within: 21; sid: 2009001182; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[TheHypers protector - TheHyper]"; flow: established,to_client; content: "|558BEC83EC148BFCE814000000|"; content: "|0101|"; distance: 2; within: 4; content: "|0101|"; distance: 2; within: 4; content: "|00|"; distance: 3; within: 4; content: "|0101|"; distance: 2; within: 4; content: "|02015EE80D0000006B65726E656C33322E646C6C008B4604FF108BD8E80D0000005669727475616C416C6C6F6300538B06FF108907E8|"; distance: 2; within: 56; sid: 2009001183; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Themida - Oreans Technologies 2004]"; flow: established,to_client; content: "|B800000000600BC07458E8000000005805430000008038E9750361EB35E8|"; sid: 2009001184; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[themida 1005 - httpwwworeanscom]"; flow: established,to_client; content: "|B800000000600BC07458E8000000005805430000008038E9750361EB35E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944|"; sid: 2009001185; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Themida 10xx - 1800 (compressed engine) - Oreans Technologies]"; flow: established,to_client; content: "|B8|"; content: "|600BC07458E8000000005805430000008038E9750361EB35E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944000083C367391A74072D00100000EBDA8BF8B8|"; distance: 4; within: 82; sid: 2009001186; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Themida 10xx - 1800 (compressed engine) - Oreans Technologies]"; flow: established,to_client; content: "|B8|"; content: "|600BC07458E8000000005805430000008038E9750361EB35E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944000083C367391A74072D00100000EBDA8BF8B8|"; distance: 4; within: 82; content: "|03C7B95A|"; distance: 4; within: 8; content: "|03CFEB0AB8|"; distance: 3; within: 8; content: "|B95A|"; distance: 4; within: 6; content: "|5051E884000000E800000000582D26000000B9EF010000C600E983E90589480161E9AF01|"; distance: 3; within: 39; sid: 2009001187; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Themida 1201 (compressed) - Oreans Technologies]"; flow: established,to_client; content: "|B80000|"; content: "|600BC07458E8000000005805430000008038E9750361EB35E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944000083C367391A74072D00100000EBDA8BF8B8|"; distance: 2; within: 80; sid: 2009001188; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Themida 18xx - Oreans Technologies]"; flow: established,to_client; content: "|B8|"; content: "|600BC07468E8000000005805530000008038E9751361EB45DB2D37|"; distance: 4; within: 31; content: "|FFFFFFFFFFFFFFFF3D40E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944000083C367|"; distance: 3; within: 53; sid: 2009001189; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Themida 18xx - Oreans Technologies]"; flow: established,to_client; content: "|B8|"; content: "|600BC07468E8000000005805530000008038E9751361EB45DB2D37|"; distance: 4; within: 31; content: "|FFFFFFFFFFFFFFFF3D40E800000000582500F0FFFF33FF66BB195A6683C33466391875120FB7503C03D0BBE944000083C367391A74072D00100000EBDA8BF8B8|"; distance: 3; within: 67; content: "|03C7B9|"; distance: 4; within: 7; content: "|03CFEB0AB8|"; distance: 4; within: 9; content: "|B9|"; distance: 4; within: 5; content: "|5051E884000000E800000000582D26000000B9EF010000C600E983E90589480161E9|"; distance: 4; within: 38; sid: 2009001190; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ThemidaWinLicense V1000-V1800- Oreans Technologies]"; flow: established,to_client; content: "|B800000000600BC07458E8000000005805|"; content: "|0000008038E975|"; distance: 1; within: 8; content: "|61EB|"; distance: 1; within: 3; content: "|E800000000|"; distance: 1; within: 6; sid: 2009001191; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ThemidaWinLicense V10X-V17X DLL - Oreans Technologies]"; flow: established,to_client; content: "|B8|"; content: "|600BC07458E8000000005805|"; distance: 4; within: 16; content: "|8038E9750361EB35E800000000582500F0FFFF33FF66BB|"; distance: 4; within: 27; content: "|6683|"; distance: 2; within: 4; content: "|66391875120FB7503C03D0BB|"; distance: 2; within: 14; content: "|83C3|"; distance: 4; within: 6; content: "|391A74072D00100000EBDA8BF8B8|"; distance: 1; within: 15; content: "|03C7B9|"; distance: 4; within: 7; content: "|03CFEB0AB8|"; distance: 4; within: 9; content: "|B9|"; distance: 4; within: 5; content: "|5051E884000000E800000000582D|"; distance: 4; within: 18; content: "|B9|"; distance: 4; within: 5; content: "|C600E983E9|"; distance: 4; within: 9; content: "|89480161E9|"; distance: 1; within: 6; sid: 2009001192; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ThemidaWinLicense V1802 - Oreans Technologies]"; flow: established,to_client; content: "|B800000000600BC07468E8000000005805|"; content: "|0000008038E975|"; distance: 1; within: 8; content: "|61EB|"; distance: 1; within: 3; content: "|DB2D|"; distance: 1; within: 3; content: "|FFFFFFFFFFFFFFFF3D40E800000000|"; distance: 4; within: 19; sid: 2009001193; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ThemidaWinLicense V18X-V19X - Oreans Technologies]"; flow: established,to_client; content: "|B8|"; content: "|600BC07468E8000000005805530000008038E9751361EB45DB2D|"; distance: 4; within: 30; content: "|FFFFFFFFFFFFFFFF3D|"; distance: 4; within: 13; content: "|0000582500F0FFFF33FF66BB|"; distance: 4; within: 16; content: "|6683|"; distance: 2; within: 4; content: "|66391875120FB7503C03D0BB|"; distance: 2; within: 14; content: "|83C3|"; distance: 4; within: 6; content: "|391A74072D|"; distance: 1; within: 6; content: "|EBDA8BF8B8|"; distance: 4; within: 9; content: "|03C7B9|"; distance: 4; within: 7; content: "|03CFEB0AB8|"; distance: 4; within: 9; content: "|B9|"; distance: 4; within: 5; content: "|5051E8|"; distance: 4; within: 7; content: "|E8|"; distance: 4; within: 5; content: "|582D|"; distance: 4; within: 6; content: "|B9|"; distance: 4; within: 5; content: "|C600E983E90589480161E9|"; distance: 4; within: 15; sid: 2009001194; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[theWRAP - by TronDoc]"; flow: established,to_client; content: "|558BEC83C4F053565733C08945F0B848D24B00E8BC87F4FFBB040B4D0033C05568E8D54B0064FF30648920E89CF4FFFFE8F7FBFFFF6A408D55F0A1F0ED4B008B00E8422EF7FF8B4DF0B201A1F4C24000E8F720F5FF8BF0B201A1B4C34000E8F15BF4FF890333D28B03E8421EF5FF66B90200BAFCFFFFFF8BC68B38FF570CBAB8A74D00B9040000008BC68B38FF5704833DB8A74D00000F845E0100008B15B8A74D0083C204F7DA66B902008BC68B38FF570C8B0DB8A74D008BD68B03E82B1FF5FF8BC6E8B45BF4FF33D28B03E8DF1DF5FFBAF0444E00B9010000008B038B30FF5604803DF0444E000A753FBAB8A74D00B9040000008B038B30FF56048B15B8A7|"; sid: 2009001195; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall 24x - 25x - Jitit Software]"; flow: established,to_client; content: "|558BECB8|"; content: "|BB|"; distance: 4; within: 5; content: "|50E800000000582D|"; distance: 4; within: 12; content: "|B9|"; distance: 4; within: 5; content: "|BA|"; distance: 4; within: 5; content: "|BE|"; distance: 4; within: 5; content: "|BF|"; distance: 4; within: 5; content: "|BD|"; distance: 4; within: 5; content: "|03E8|"; distance: 4; within: 6; sid: 2009001196; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall 25 - ]"; flow: established,to_client; content: "|558BECB8|"; content: "|BB|"; distance: 4; within: 5; content: "|50E800000000582DA71A0000B96C1A0000BA201B0000BE00100000BFB0530000BDEC1A000003E8817500|"; distance: 4; within: 46; content: "|817504|"; distance: 4; within: 7; content: "|817508|"; distance: 4; within: 7; content: "|81750C|"; distance: 4; within: 7; content: "|817510|"; distance: 4; within: 7; sid: 2009001197; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall 25xx - Jtit]"; flow: established,to_client; content: "|558BECB8|"; content: "|BB|"; distance: 4; within: 5; content: "|50E800000000582D|"; distance: 4; within: 12; content: "|1A0000B9|"; distance: 1; within: 5; content: "|1A0000BA|"; distance: 1; within: 5; content: "|1B0000BE00100000BF|"; distance: 1; within: 10; content: "|530000BD|"; distance: 1; within: 5; content: "|1A000003E8817500|"; distance: 1; within: 9; content: "|7504|"; distance: 5; within: 7; content: "|817508|"; distance: 4; within: 7; content: "|81750C|"; distance: 4; within: 7; content: "|817510|"; distance: 4; within: 7; sid: 2009001198; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall 25xx - Jtit]"; flow: established,to_client; content: "|558BECB8|"; content: "|BB|"; distance: 4; within: 5; content: "|50E800000000582D|"; distance: 4; within: 12; content: "|1A0000B9|"; distance: 1; within: 5; content: "|1A0000BA|"; distance: 1; within: 5; content: "|1B0000BE00100000BF|"; distance: 1; within: 10; content: "|530000BD|"; distance: 1; within: 5; content: "|1A000003E8817500|"; distance: 1; within: 9; content: "|7504|"; distance: 5; within: 7; content: "|817508|"; distance: 4; within: 7; content: "|81750C|"; distance: 4; within: 7; content: "|817510|"; distance: 4; within: 7; content: "|03|"; distance: 4; within: 5; content: "|3BF17C043BF27C02892E83C6043BF77CE35850680000400068805A|"; distance: 23; within: 50; sid: 2009001199; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall 2628 - Jtit]"; flow: established,to_client; content: "|E80000000058BB341D00002BC3506800004000680040000068BC000000E8C3FEFFFFE999FFFFFFCCCCCCCCCCCCCCCCCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA000000804333C0E81901|"; sid: 2009001200; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall 2628 - Jtit]"; flow: established,to_client; content: "|E80000000058BB341D00002BC3506800004000680040000068BC000000E8C3FEFFFFE999FFFFFFCCCCCCCCCCCCCCCCCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA000000804333C0E819010000730E8B4DF8E8270100000245F7AAEBE9E8040100000F8296000000E8F9000000735BB904000000E8050100004874DE0F89C6000000E8DF000000731B55BD00010000E8DF0000008807474D75F5E8C700000072E95DEBA2B901000000E8D000000083C0078945F8C645F70083F8087489E8B10000008845F7E97CFFFFFFB907000000E8AA0000005033C9B102E8A00000008BC84141580BC074048BD8EB5E83F902746A41E8880000008945FCE948FFFFFFE88700000049E2098BC3E87D000000EB3A498BC1558B4DFC8BE833C0D3E5E85D0000000BC55D8BD8E85F0000003D0000010073143DFF370000730E3D7F020000730883F87F770441414141568BF72BF0F3|"; sid: 2009001201; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall 2736 - Jitit]"; flow: established,to_client; content: "|9C60E80000000058BBF31C00002BC3506800004000680026000068CC000000E8C1FEFFFFE997FFFFFFCCCCCCCCCCCCCCCCCCCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA000000804333C0E819010000730E8B4DF8E8270100000245F7AAEBE9E8040100000F8296000000E8F9000000735BB904000000E8050100004874DE0F89C6000000E8DF000000731B55BD00010000E8DF0000008807474D75F5E8C700000072E95DEBA2B901000000E8D000000083C0078945F8C645F70083F8087489E8B10000008845F7E97CFFFFFFB907000000E8AA0000005033C9B102E8A00000008BC84141580BC074048BD8EB5E83F902746A41E8880000008945FCE948FFFFFFE88700000049E2098BC3E87D000000EB3A498BC1558B4DFC8BE833C0D3E5E85D0000000BC55D8BD8E85F0000003D0000010073143DFF370000730E3D7F020000730883F87F770441414141568BF72BF0F3A45EE9F0FEFFFF33C0EB058BC72B450C5E5F5BC9C20800|"; sid: 2009001202; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall 3035 - Jtit]"; flow: established,to_client; content: "|9C60685374416C685468496EE80000000058BB371F00002BC35068|"; content: "|68002800006804010000E8BAFEFFFFE990FFFFFFCCCCCCCCCCCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA00|"; distance: 4; within: 58; sid: 2009001203; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall 3035 - Jtit]"; flow: established,to_client; content: "|9C60685374416C685468496EE80000000058BB371F00002BC35068|"; content: "|68002800006804010000E8BAFEFFFFE990FFFFFFCCCCCCCCCCCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA000000804333C0E819010000730E8B4DF8E8270100000245F7AAEBE9E8040100000F8296000000E8F9000000735BB904000000E8050100004874DE0F89C6000000E8DF000000731B55BD00010000E8DF0000008807474D75F5E8C700000072E95DEBA2B901000000E8D000000083C0078945F8C645F70083F8087489E8B10000008845F7E97CFFFFFFB907000000E8AA0000005033C9B102E8A00000008BC84141580BC074048BD8EB5E83F902746A41E8880000008945FCE948FFFFFFE88700000049E2098BC3E87D000000EB3A498BC1558B4DFC8BE833C0D3E5E85D0000000BC55D8BD8E85F0000003D0000010073143DFF370000730E3D7F020000730883F87F770441414141568BF72BF0F3A45EE9F0FEFFFF33C0EB058BC72B450C5E5F5BC9C2080003D275088B1683C604F913D2C3B908000000E801000000C333C0E8E1FFFFFF13C0E2F7C333C941E8D4FFFFFF13C9E8CDFFFFFF72F2C3|"; distance: 4; within: 404; sid: 2009001204; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 19X - Jitit]"; flow: established,to_client; content: "|558BEC515356576A006A00FF15|"; content: "|50E887FCFFFF5959A1|"; distance: 4; within: 13; content: "|8B40100305|"; distance: 4; within: 9; content: "|8945FC8B45FCFFE05F5E5BC9C3000000|"; distance: 4; within: 20; sid: 2009001205; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 20X - Jitit]"; flow: established,to_client; content: "|B8EFBEADDE506A00FF15|"; content: "|E9ADFFFFFF8BC18B4C2404898829040000C7400C010000000FB64901D1E9894810C7401480000000C204008B442404C7410C010000008981290400000FB64001D1E8894110C7411480000000C20400558BEC53565733C033FF39450C8BF1760C8B4D08033C81403B450C72F48BCEE8430000008B461433D2F7F78B5E1033D28BF88BC3F7F7897E1889450C33C033C98B5508030C8240394D0C73F4488B14822BCA0FAFCF2BD90FAFFA897E14895E105F5E5B5DC20800|"; distance: 4; within: 186; sid: 2009001206; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 22X-2308 - Jitit]"; flow: established,to_client; content: "|B8EFBEADDE506A00FF15|"; content: "|E9B9FFFFFF8BC18B4C2404898829040000C7400C010000000FB64901D1E9894810C7401480000000C204008B442404C7410C010000008981290400000FB64001D1E8894110C7411480000000C20400558BEC53565733C033FF39450C8BF1760C8B4D08033C81403B450C72F48BCEE8430000008B461433D2F7F78B5E1033D28BF88BC3F7F7897E1889450C33C033C98B5508030C8240394D0C73F4488B14822BCA0FAFCF2BD90FAFFA897E14895E105F5E5B5DC20800|"; distance: 4; within: 186; sid: 2009001207; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 2312 - Jitit]"; flow: established,to_client; content: "|6A00FF15|"; content: "|E8D4F8FFFFE9E9ADFFFFFF8BC18B4C2404898829040000C7400C010000000FB64901D1E9894810C7401480000000C204008B442404C7410C010000008981290400000FB64001D1E8894110C7411480000000C20400558BEC53565733C033FF39450C8BF1760C8B4D08033C81403B450C72F48BCEE8430000008B461433D2F7F78B5E1033D28BF88BC3F7F7897E1889450C33C033C98B5508030C8240394D0C73F4488B14822BCA0FAFCF2BD90FAFFA897E14895E105F5E5B5DC20800|"; distance: 4; within: 192; sid: 2009001208; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 2422-2428 - Jitit]"; flow: established,to_client; content: "|558BECB8|"; content: "|BB|"; distance: 4; within: 5; content: "|50E800000000582D9B1A0000B9841A0000BA141B0000BE00100000BFB0530000BDE01A000003E8817500|"; distance: 4; within: 46; content: "|817504|"; distance: 4; within: 7; content: "|817508|"; distance: 4; within: 7; content: "|81750C|"; distance: 4; within: 7; content: "|817510|"; distance: 4; within: 7; sid: 2009001209; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 2501 - Jitit]"; flow: established,to_client; content: "|558BECB8|"; content: "|BB|"; distance: 4; within: 5; content: "|50E800000000582DA81A0000B96D1A0000BA211B0000BE00100000BFC0530000BDF01A000003E8817500|"; distance: 4; within: 46; content: "|817504|"; distance: 4; within: 7; content: "|817508|"; distance: 4; within: 7; content: "|81750C|"; distance: 4; within: 7; content: "|817510|"; distance: 4; within: 7; sid: 2009001210; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 2545 - Jitit]"; flow: established,to_client; content: "|E8F2FFFFFF5068|"; content: "|68401B0000E842FFFFFFE99DFFFFFF000000000000|"; distance: 4; within: 25; sid: 2009001211; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 2547-V2600 - Jitit]"; flow: established,to_client; content: "|E80000000058BBBC1800002BC35068|"; content: "|68601B00006860000000E835FFFFFFE999FFFFFF0000|"; distance: 4; within: 26; sid: 2009001212; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 2609 - Jitit]"; flow: established,to_client; content: "|E80000000058BBAD1900002BC35068|"; content: "|68B01C00006880000000E835FFFFFFE999FFFFFF00|"; distance: 4; within: 25; sid: 2009001213; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 2620-2623 - Jitit]"; flow: established,to_client; content: "|E80000000058BBAC1E00002BC35068|"; content: "|68B021000068C4000000E8C3FEFFFFE999FFFFFF0000|"; distance: 4; within: 26; sid: 2009001214; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Embedded 2717-2719 - Jitit]"; flow: established,to_client; content: "|9C60E80000000058BB|"; content: "|2BC35068|"; distance: 4; within: 8; content: "|68|"; distance: 4; within: 5; content: "|68|"; distance: 4; within: 5; content: "|E8C1FEFFFFE997FFFFFFCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA000000804333C0E819010000730E8B4DF8E8270100000245F7AAEBE9E8040100000F8296000000E8F9000000735BB904000000E8050100004874DE0F89C6000000E8DF000000731B55BD00010000E8DF0000008807474D75F5E8C700000072E95DEBA2B901000000E8D000000083C0078945F8C645F70083F8087489E8B10000008845F7E97CFFFFFFB907000000E8AA0000005033C9B102E8A00000008BC84141580BC074048BD8EB5E83F902746A41E8880000008945FCE948FFFFFFE88700000049E2098BC3E87D000000EB3A498BC1558B4DFC8BE833C0D3E5E85D0000000BC55D8BD8E85F0000003D0000010073143DFF370000730E3D7F020000730883F87F770441414141568BF72BF0F3A45EE9F0FEFFFF33C0EB058BC72B450C5E5F5BC9C20800|"; distance: 4; within: 335; sid: 2009001215; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall V2403 - Jitit]"; flow: established,to_client; content: "|6A00FF1520504000E8D4F8FFFFE9E9ADFFFFFF8BC18B4C2404898829040000C7400C010000000FB64901D1E9894810C7401480000000C204008B442404C7410C010000008981290400000FB64001D1E8894110C741|"; sid: 2009001216; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall V2403 - Jitit]"; flow: established,to_client; content: "|6A00FF1520504000E8D4F8FFFFE9E9ADFFFFFF8BC18B4C2404898829040000C7400C010000000FB64901D1E9894810C7401480000000C204008B442404C7410C010000008981290400000FB64001D1E8894110C7411480000000C20400558BEC53565733C033FF39450C8BF1760C8B4D08033C81403B450C72F48BCEE8430000008B461433D2F7F78B5E1033D28BF88BC3F7F7897E1889450C33C033C98B5508030C8240394D0C73F4488B14822BCA0FAFCF2BD90FAFFA897E14895E105F5E5B5DC2080057BF00008000397914773653568BB1290400008B410C8B591003DB8A143083E2010BD3C1E2074089511089410C0FB60430C1611408D1E809411039|"; sid: 2009001217; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall v2460 - Jitit]"; flow: established,to_client; content: "|558BEC515356576A006A00FF15F418400050E887FCFFFF5959A1941A40008B40100305901A40008945FC8B45FCFFE05F5E5BC9C3000000760C0000D40C00001E|"; sid: 2009001218; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall V27X - Jitit]"; flow: established,to_client; content: "|9C60E80000000058BB|"; content: "|2BC35068|"; distance: 4; within: 8; content: "|68|"; distance: 4; within: 5; content: "|68|"; distance: 4; within: 5; content: "|E8|"; distance: 4; within: 5; content: "|E9|"; distance: 4; within: 5; sid: 2009001219; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Virtualization Suite 3035-3043 - Thinstall Company]"; flow: established,to_client; content: "|9C60685374416C685468496EE80000000058BB371F00002BC35068|"; content: "|68002800006804010000E8BAFEFFFFE990FFFFFFCCCCCCCCCCCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA000000804333C0E819010000730E8B4DF8E8270100000245F7AAEBE9E8040100000F8296000000E8F9000000735BB904000000E8050100004874DE0F89C6000000E8DF000000731B55BD00010000E8DF0000008807474D75F5E8C700000072E95DEB|"; distance: 4; within: 155; sid: 2009001220; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Virtualization Suite 3049-3080 - Thinstall Company]"; flow: established,to_client; content: "|9C60685374416C685468496EE80000000058BB371F00002BC35068|"; content: "|68002C00006804010000E8BAFEFFFFE990FFFFFFCCCCCCCCCCCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA00|"; distance: 4; within: 58; sid: 2009001221; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Virtualization Suite 3049-3080 - Thinstall Company]"; flow: established,to_client; content: "|9C60685374416C685468496EE80000000058BB371F00002BC35068|"; content: "|68002C00006804010000E8BAFEFFFFE990FFFFFFCCCCCCCCCCCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA000000804333C0E819010000730E8B4DF8E8270100000245F7AAEBE9E8040100000F8296000000E8F9000000735BB904000000E8050100004874DE0F89C6000000E8DF000000731B55BD00010000E8DF0000008807474D75F5E8C700000072E95DEB|"; distance: 4; within: 155; sid: 2009001222; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Virtualization Suite 30X - Thinstall Company]"; flow: established,to_client; content: "|9C6068|"; content: "|68|"; distance: 4; within: 5; content: "|E80000000058BB|"; distance: 4; within: 11; content: "|2BC35068|"; distance: 4; within: 8; content: "|68|"; distance: 4; within: 5; content: "|68|"; distance: 4; within: 5; content: "|E8BAFEFFFFE9|"; distance: 4; within: 10; content: "|CCCCCCCCCCCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA|"; distance: 4; within: 37; sid: 2009001223; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall Virtualization Suite 30X - Thinstall Company]"; flow: established,to_client; content: "|9C6068|"; content: "|68|"; distance: 4; within: 5; content: "|E80000000058BB|"; distance: 4; within: 11; content: "|2BC35068|"; distance: 4; within: 8; content: "|68|"; distance: 4; within: 5; content: "|68|"; distance: 4; within: 5; content: "|E8BAFEFFFFE9|"; distance: 4; within: 10; content: "|CCCCCCCCCCCCCC558BEC83C4F4FC5357568B75088B7D0CC745FC0800000033DBBA|"; distance: 4; within: 37; content: "|4333C0E819010000730E8B4DF8E8270100000245F7AAEBE9E8040100000F8296000000E8F9000000735BB904000000E8050100004874DE0F89|"; distance: 4; within: 61; content: "|E8DF000000731B55BD|"; distance: 4; within: 13; content: "|E8DF0000008807474D75F5E8C700000072E95DEB|"; distance: 4; within: 24; sid: 2009001224; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Thinstall vxx]"; flow: established,to_client; content: "|B8EFBEADDE506A|"; content: "|FF15101940|"; distance: 1; within: 6; content: "|E9ADFFFFFF|"; distance: 1; within: 6; sid: 2009001225; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[TMT-Pascal v040]"; flow: established,to_client; content: "|0E1F068C06|"; content: "|26A1|"; distance: 2; within: 4; content: "|A3|"; distance: 2; within: 3; content: "|8EC06633FF6633C9|"; distance: 2; within: 10; sid: 2009001226; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[TopSpeed v301 1989]"; flow: established,to_client; content: "|1EBA|"; content: "|8EDA8B|"; distance: 2; within: 5; content: "|8B|"; distance: 3; within: 4; content: "|FF|"; distance: 3; within: 4; content: "|5053|"; distance: 3; within: 5; sid: 2009001227; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[TPPpack - clane]"; flow: established,to_client; content: "|E8000000005D81EDF58F40006033|"; content: "|E8|"; distance: 1; within: 2; sid: 2009001228; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Trivial173 by SMTSMF]"; flow: established,to_client; content: "|EB|"; content: "|285472697669616C31373320627920534D542F534D4629|"; distance: 2; within: 25; sid: 2009001229; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UG2002 Cruncher v03b3]"; flow: established,to_client; content: "|60E8|"; content: "|5D81ED|"; distance: 4; within: 7; content: "|E80D|"; distance: 4; within: 6; content: "|58|"; distance: 16; within: 17; sid: 2009001230; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UltraPro V10 - SafeNet]"; flow: established,to_client; content: "|A1|"; content: "|85C00F853B0600005556C705|"; distance: 4; within: 16; content: "|01000000FF15|"; distance: 4; within: 10; sid: 2009001231; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Unknown by SMT]"; flow: established,to_client; content: "|60BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|83|"; distance: 4; within: 5; content: "|57EB|"; distance: 2; within: 4; sid: 2009001232; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Unknown Joiner (sign from pinch 26032007 0212)]"; flow: established,to_client; content: "|44904C90B9DE000000BA0010400083C20344904CB90700000044904C33C9C705083040000000000090680001000068213040006A00E8C5020000906A006880|"; sid: 2009001233; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Unnamed Scrambler 13B - p0ke]"; flow: established,to_client; content: "|558BECB9080000006A006A004975F9535657B898560010E848EBFFFF33C05568AC5D001064FF306489206A0068BC5D001068C45D00106A00E823ECFFFFE8C6CEFFFF6A0068BC5D001068|"; content: "|6A00E80BECFFFFE8F2F4FFFFB808BC001033C9BA04010000E8C1D2FFFF6A0068BC5D001068E45D00106A00E8E2EBFFFF68040100006808BC00106A00FF15687700106A0068BC5D001068FC5D00106A00E8BDEBFFFFBA105E0010B870770010E8CAF3FFFF85C00F84F7050000BA747700108B0D70770010E8FECDFFFF6A00|"; distance: 4; within: 130; sid: 2009001234; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UnoPiX 075 - BaGiE]"; flow: established,to_client; content: "|60E8070000006168|"; content: "|4000C383042418C32083B8ED2037EFC6B979379E61|"; distance: 2; within: 23; sid: 2009001235; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UnoPiX 103-110 - BaGiE]"; flow: established,to_client; content: "|83EC04C7042400|"; content: "|C300|"; distance: 3; within: 5; content: "|000000000000000000000000|"; distance: 2; within: 14; content: "|00100000000200000100000000000000040000000000000000|"; distance: 2; within: 27; content: "|000010000000000000020000|"; distance: 2; within: 14; content: "|0000|"; distance: 1; within: 3; content: "|0000|"; distance: 1; within: 3; content: "|0000001000001000000000000010|"; distance: 2; within: 16; sid: 2009001236; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Unpacked BS-SFX Archive v19]"; flow: established,to_client; content: "|1E33C050B8|"; content: "|8ED8FA8ED0BC|"; distance: 2; within: 8; content: "|FBB8|"; distance: 2; within: 4; content: "|CD213C0373|"; distance: 2; within: 7; sid: 2009001237; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack 010 - 012 beta - Dwing]"; flow: established,to_client; content: "|BE48014000AD8BF895A533C033C9AB48ABF7D8B104F3ABC1E00AB5|"; content: "|F3ABAD509751AD87F5588D54865CFFD5725A2C037302B0003C0772022C03500FB65FFFC1|"; distance: 1; within: 37; sid: 2009001238; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack 012 beta--Dwing]"; flow: established,to_client; content: "|BE48014000AD|"; content: "|A5|"; distance: 3; within: 4; content: "|C033C9|"; distance: 1; within: 4; content: "|F3AB|"; distance: 7; within: 9; content: "|0A|"; distance: 2; within: 3; content: "|AD509751|"; distance: 4; within: 8; content: "|87F5588D54865C|"; distance: 1; within: 8; content: "|D572|"; distance: 1; within: 3; content: "|B65FFFC1|"; distance: 15; within: 19; sid: 2009001239; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack 020 beta - Dwing]"; flow: established,to_client; content: "|BE88014000AD8BF895A533C033C9AB48ABF7D8B104F3ABC1E00AB5|"; content: "|F3ABAD509751588D54855CFF16725A2C037302B0003C0772022C03500FB65FFFC1E3|"; distance: 1; within: 35; content: "|B3|"; distance: 1; within: 2; sid: 2009001240; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack 021 beta - Dwing]"; flow: established,to_client; content: "|BE88014000AD8BF86A0495A533C0AB48ABF7D859F3ABC1E00AB5|"; content: "|F3ABAD509751588D54855CFF16725A2C037302B0003C0772022C03500FB65FFFC1E3|"; distance: 1; within: 35; content: "|B300|"; distance: 1; within: 3; sid: 2009001241; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack 022 - 023 beta - Dwing]"; flow: established,to_client; content: "|6A07BE88014000AD8BF85995F3A5ADB5|"; content: "|F3ABAD509751588D54855CFF1672592C037302B0003C0772022C03500FB65FFFC1E3|"; distance: 1; within: 35; content: "|B3008D1C5B8D9C9D0C100000|"; distance: 1; within: 13; sid: 2009001242; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack 024 - 027 beta 028 alpha - Dwing]"; flow: established,to_client; content: "|BE88014000AD8BF895AD91F3A5ADB5|"; content: "|F3ABAD509751588D54855CFF1672572C037302B0003C0772022C03500FB65FFFC1E3|"; distance: 1; within: 35; content: "|B3008D1C5B8D9C9D0C100000B0|"; distance: 1; within: 14; sid: 2009001243; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPack Alt Stub - Dwing]"; flow: established,to_client; content: "|60E809000000C3F60000E90602000033C95E870EE3F42BF18BDEAD2BD8AD|"; sid: 2009001244; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v010 - v012 Beta - Dwing]"; flow: established,to_client; content: "|BE4801|"; content: "|95A533C0|"; distance: 5; within: 9; sid: 2009001245; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack V010-V011 - Dwing]"; flow: established,to_client; content: "|BE|"; content: "|AD8BF895A533C033C9AB48ABF7D8B1|"; distance: 4; within: 19; content: "|F3ABC1E0|"; distance: 1; within: 5; content: "|B5|"; distance: 1; within: 2; content: "|F3ABAD509751AD87F5588D54865CFFD5725A2C|"; distance: 1; within: 20; content: "|73|"; distance: 1; within: 2; content: "|B0|"; distance: 1; within: 2; content: "|3C|"; distance: 1; within: 2; content: "|72022C|"; distance: 1; within: 4; content: "|500FB65FFFC1E3|"; distance: 1; within: 8; content: "|B3|"; distance: 1; within: 2; content: "|8D1C5B8D|"; distance: 1; within: 5; content: "|B0|"; distance: 6; within: 7; content: "|67E3298BD72B560C8A2A33D284E90F95C652FEC68AD08D1493FFD5|"; distance: 1; within: 28; sid: 2009001246; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v01x - v02x - Dwing]"; flow: established,to_client; content: "|BE8801|"; content: "|AD8BF895|"; distance: 2; within: 6; sid: 2009001247; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v02 Beta - Dwing]"; flow: established,to_client; content: "|BE8801|"; content: "|AD8BF895A533C033|"; distance: 2; within: 10; sid: 2009001248; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v021 Beta - Dwing]"; flow: established,to_client; content: "|BE8801|"; content: "|AD8BF8|"; distance: 2; within: 5; content: "|33|"; distance: 4; within: 5; sid: 2009001249; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v022 v023 Beta - Dwing]"; flow: established,to_client; content: "|6A07BE88014000AD8BF85995F3A5|"; sid: 2009001250; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v024 v028 Alpha - Dwing]"; flow: established,to_client; content: "|BE88014000AD|"; content: "|95AD91F3A5AD|"; distance: 2; within: 8; sid: 2009001251; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v029 beta - Dwing]"; flow: established,to_client; content: "|E9|"; content: "|42794477696E6740000000504500004C0102|"; distance: 4; within: 22; content: "|29|"; distance: 20; within: 21; sid: 2009001252; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v030 beta - Dwing]"; flow: established,to_client; content: "|E9|"; content: "|42794477696E6740000000504500004C0102|"; distance: 4; within: 22; content: "|30|"; distance: 20; within: 21; sid: 2009001253; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v031 beta - Dwing]"; flow: established,to_client; content: "|E9|"; content: "|42794477696E6740000000504500004C0102|"; distance: 4; within: 22; content: "|31|"; distance: 20; within: 21; sid: 2009001254; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v032 beta - Dwing]"; flow: established,to_client; content: "|E9|"; content: "|42794477696E6740000000504500004C0102|"; distance: 4; within: 22; content: "|32|"; distance: 20; within: 21; sid: 2009001255; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack V036 - Dwing]"; flow: established,to_client; content: "|0B01|"; content: "|1810000010000000|"; distance: 14; within: 22; content: "|0010000000020000|"; distance: 8; within: 16; content: "|00000000|"; distance: 12; within: 16; content: "|000000000A0000000000000000000000|"; distance: 32; within: 48; content: "|14000000|"; distance: 4; within: 8; content: "|47657450726F634164647265737300FF7608FF760CBE1C01|"; distance: 64; within: 88; sid: 2009001256; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack V036 - Dwing]"; flow: established,to_client; content: "|BE|"; content: "|FF36E9C3000000|"; distance: 4; within: 11; sid: 2009001257; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v036 beta - Dwing]"; flow: established,to_client; content: "|BEE011|"; content: "|FF36E9C30000004801|"; distance: 2; within: 11; content: "|0B014B45524E454C33322E444C4C|"; distance: 2; within: 16; sid: 2009001258; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v036 beta - Dwing]"; flow: established,to_client; content: "|BEE011|"; content: "|FF36E9C30000004801|"; distance: 2; within: 11; content: "|0B014B45524E454C33322E444C4C|"; distance: 2; within: 16; content: "|47657450726F6341646472657373|"; distance: 162; within: 176; content: "|828EFEFFFF588B4E405FE3|"; distance: 54; within: 65; sid: 2009001259; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack V037 - Dwing]"; flow: established,to_client; content: "|0B01|"; content: "|1810000010000000|"; distance: 14; within: 22; content: "|0010000000020000|"; distance: 8; within: 16; content: "|00000000|"; distance: 12; within: 16; content: "|000000000A0000000000000000000000|"; distance: 32; within: 48; content: "|14000000|"; distance: 4; within: 8; content: "|47657450726F63416464726573730000|"; distance: 40; within: 56; sid: 2009001260; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack V037 - Dwing]"; flow: established,to_client; content: "|60E809000000|"; content: "|33C95E870E|"; distance: 9; within: 14; sid: 2009001261; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack V037 - Dwing]"; flow: established,to_client; content: "|BE|"; content: "|AD50FF|"; distance: 4; within: 7; content: "|EB|"; distance: 2; within: 3; sid: 2009001262; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v037 beta - Dwing]"; flow: established,to_client; content: "|BEB011|"; content: "|AD50FF7634EB7C4801|"; distance: 2; within: 11; content: "|0B014C6F61644C696272617279410000181000001000000000|"; distance: 2; within: 27; content: "|0000|"; distance: 3; within: 5; content: "|00100000000200000400000000003700040000000000000000|"; distance: 2; within: 27; content: "|0002000000000000|"; distance: 3; within: 11; sid: 2009001263; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v037 beta - Dwing]"; flow: established,to_client; content: "|BEB011|"; content: "|AD50FF7634EB7C4801|"; distance: 2; within: 11; content: "|0B014C6F61644C696272617279410000181000001000000000|"; distance: 2; within: 27; content: "|0000|"; distance: 3; within: 5; content: "|00100000000200000400000000003700040000000000000000|"; distance: 2; within: 27; content: "|0002000000000000|"; distance: 3; within: 11; content: "|0000|"; distance: 1; within: 3; content: "|0000|"; distance: 1; within: 3; content: "|0000|"; distance: 1; within: 3; content: "|000000100000100000000000000A0000000000000000000000EE|"; distance: 2; within: 28; content: "|1400000000|"; distance: 3; within: 8; content: "|00FF7638AD508B3EBEF0|"; distance: 6; within: 16; content: "|6A2759F3A5FF760483C8FF8BDFABEB1C0000000047657450726F63416464726573730000|"; distance: 3; within: 39; content: "|00000040AB40B104F3ABC1E00AB5|"; distance: 5; within: 19; content: "|F3AB8B7E0C5751E9|"; distance: 1; within: 9; content: "|E3B104D3E003E88D531833C0554051D3E08BEA91FF564C33D259D1E813D2E2FA5D03EA4559896B08568BF72BF5F3A4AC5EB180AA3B7E340F828EFEFFFF585F59E31B8A074704183C0273F78B073C|"; distance: 4; within: 82; content: "|75F1B0000FC80346382BC7ABE2E55E5D59515946AD85C0741F|"; distance: 1; within: 26; sid: 2009001264; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v038 beta - Dwing]"; flow: established,to_client; content: "|BEB011|"; content: "|AD50FF7634EB7C4801|"; distance: 2; within: 11; content: "|0B014C6F61644C696272617279410000181000001000000000|"; distance: 2; within: 27; content: "|0000|"; distance: 3; within: 5; content: "|00100000000200000400000000003800040000000000000000|"; distance: 2; within: 27; content: "|0002000000000000|"; distance: 3; within: 11; sid: 2009001265; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v038 beta - Dwing]"; flow: established,to_client; content: "|BEB011|"; content: "|AD50FF7634EB7C4801|"; distance: 2; within: 11; content: "|0B014C6F61644C696272617279410000181000001000000000|"; distance: 2; within: 27; content: "|0000|"; distance: 3; within: 5; content: "|00100000000200000400000000003800040000000000000000|"; distance: 2; within: 27; content: "|0002000000000000|"; distance: 3; within: 11; content: "|0000|"; distance: 1; within: 3; content: "|0000|"; distance: 1; within: 3; content: "|0000|"; distance: 1; within: 3; content: "|000000100000100000000000000A0000000000000000000000EE|"; distance: 2; within: 28; content: "|1400000000|"; distance: 3; within: 8; content: "|00FF7638AD508B3EBEF0|"; distance: 6; within: 16; content: "|6A2759F3A5FF760483C8FF8BDFABEB1C0000000047657450726F63416464726573730000|"; distance: 3; within: 39; content: "|00000040AB40B104F3ABC1E00AB5|"; distance: 5; within: 19; content: "|F3AB8B7E0C5751E9|"; distance: 1; within: 9; content: "|E3B104D3E003E88D531833C0554051D3E08BEA91FF564C33D259D1E813D2E2FA5D03EA4559896B08568BF72BF5F3A4AC5EB180AA3B7E340F8297FEFFFF585F59E31B8A074704183C0273F78B073C|"; distance: 4; within: 82; content: "|75F1B0000FC80346382BC7ABE2E55E5D59515946AD85C0741F|"; distance: 1; within: 26; sid: 2009001266; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v0399 - Dwing]"; flow: established,to_client; content: "|0B014C6F61644C696272617279410000181000001000000000|"; content: "|000000400000100000000200000400000000003A00040000000000000000|"; distance: 2; within: 32; content: "|000002000000000000|"; distance: 2; within: 11; content: "|0000000000100000|"; distance: 1; within: 9; content: "|00000000100000100000000000000A0000000000000000000000EE|"; distance: 1; within: 28; content: "|001400000000|"; distance: 2; within: 8; content: "|00|"; distance: 2; within: 3; content: "|0000FF7638AD508B3EBEF0|"; distance: 2; within: 13; content: "|006A2759F3A5FF760483C8FF8BDFABEB1C0000000047657450726F63416464726573730000|"; distance: 2; within: 39; content: "|00|"; distance: 3; within: 4; content: "|00000040AB40B104F3ABC1E00AB5|"; distance: 1; within: 15; sid: 2009001267; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v0399 - Dwing]"; flow: established,to_client; content: "|BEB011|"; content: "|AD50FF7634EB7C4801|"; distance: 2; within: 11; content: "|0B014C6F61644C696272617279410000181000001000000000|"; distance: 2; within: 27; content: "|0000|"; distance: 3; within: 5; content: "|00100000000200000400000000003A00040000000000000000|"; distance: 2; within: 27; content: "|0002000000000000|"; distance: 3; within: 11; sid: 2009001268; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack v0399 - Dwing]"; flow: established,to_client; content: "|BEB011|"; content: "|AD50FF7634EB7C4801|"; distance: 2; within: 11; content: "|0B014C6F61644C696272617279410000181000001000000000|"; distance: 2; within: 27; content: "|0000|"; distance: 3; within: 5; content: "|00100000000200000400000000003A00040000000000000000|"; distance: 2; within: 27; content: "|0002000000000000|"; distance: 3; within: 11; content: "|0000|"; distance: 1; within: 3; content: "|0000100000|"; distance: 1; within: 6; content: "|000000100000100000000000000A0000000000000000000000EE|"; distance: 2; within: 28; content: "|1400000000|"; distance: 3; within: 8; content: "|0000FF7638AD508B3EBEF0|"; distance: 5; within: 16; content: "|6A2759F3A5FF760483C8FF8BDFABEB1C0000000047657450726F63416464726573730000|"; distance: 3; within: 39; content: "|00000040AB40B104F3ABC1E00AB5|"; distance: 5; within: 19; content: "|F3AB8B7E0C5751E9|"; distance: 1; within: 9; content: "|5610E2E3B104D3E003E88D531833C0554051D3E08BEA91FF564C9959D1E813D2E2FA5D03EA4559896B08568BF72BF5F3A4AC5EB180AA3B|"; distance: 4; within: 59; sid: 2009001269; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack_Patch - Dwing]"; flow: established,to_client; content: "|813A0000000200000000|"; sid: 2009001270; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack_Patch or any Version - Dwing]"; flow: established,to_client; content: "|60E809000000|"; content: "|00E90602|"; distance: 3; within: 7; sid: 2009001271; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upack_Unknown (DLL ) - Dwing]"; flow: established,to_client; content: "|60E80900000017CD0000E90602|"; sid: 2009001272; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX ECLiPSE layer]"; flow: established,to_client; content: "|B8|"; content: "|B9|"; distance: 4; within: 5; content: "|33D2EB010F56EB010FE803000000EB010FEB010F5EEB01|"; distance: 4; within: 27; sid: 2009001273; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX 050 - 070]"; flow: established,to_client; content: "|60E8000000005883E83D|"; sid: 2009001274; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX 072]"; flow: established,to_client; content: "|60E80000000083CDFF31DB5E|"; sid: 2009001275; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX 290 [LZMA] (Delphi stub) - Markus Oberhumer Laszlo Molnar John Reiser]"; flow: established,to_client; content: "|60BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|C787|"; distance: 4; within: 6; content: "|5783CDFF89E58D9C24|"; distance: 8; within: 17; content: "|31C05039DC75FB46465368|"; distance: 4; within: 15; content: "|5783C3045368|"; distance: 4; within: 10; content: "|5683C304|"; distance: 4; within: 8; sid: 2009001276; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX 290 [LZMA] - Markus Oberhumer Laszlo Molnar John Reiser]"; flow: established,to_client; content: "|60BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|5783CDFF89E58D9C24|"; distance: 4; within: 13; content: "|31C05039DC75FB46465368|"; distance: 4; within: 15; content: "|5783C3045368|"; distance: 4; within: 10; content: "|5683C3045350C703|"; distance: 4; within: 12; content: "|9090|"; distance: 4; within: 6; sid: 2009001277; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX 290 [LZMA] - Markus Oberhumer Laszlo Molnar John Reiser]"; flow: established,to_client; content: "|60BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|5783CDFFEB109090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB|"; distance: 4; within: 55; sid: 2009001278; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX 293 - 300 [LZMA] - Markus Oberhumer Laszlo Molnar John Reiser]"; flow: established,to_client; content: "|60BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|5789E58D9C24|"; distance: 4; within: 10; content: "|31C05039DC75FB46465368|"; distance: 4; within: 15; content: "|5783C3045368|"; distance: 4; within: 10; content: "|5683C3045350C703030002009090909090|"; distance: 4; within: 21; sid: 2009001279; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX Alternative stub]"; flow: established,to_client; content: "|01DB078B1E83EEFC11DBEDB80100000001DB078B1E83EEFC11DB11C001DB730B|"; sid: 2009001280; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX Modified stub]"; flow: established,to_client; content: "|79070FB707475047B95748F2AE55FF9684|"; content: "|000009C07407890383C304EBD8FF9688|"; distance: 1; within: 17; content: "|000061E9|"; distance: 1; within: 5; content: "|FF|"; distance: 3; within: 4; sid: 2009001281; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX Modified Stub b - Farb-rausch Consumer Consulting]"; flow: established,to_client; content: "|60BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|5783CDFFFCB28031DBA4B302E86D00000073F631C9E864000000731C31C0E85B0000007323B30241B010E84F00000010C073F7753FAAEBD4E84D00000029D97510E842000000EB28AC|"; distance: 4; within: 77; sid: 2009001282; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX Modified Stub c - Farb-rausch Consumer Consulting]"; flow: established,to_client; content: "|60BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|5783CDFFFCB280E8000000005B83C366A4FFD373FB31C9FFD3731431C0FFD3731D41B010FFD310C073FA753CAAEBE2E84A00000049E210E840000000EB28ACD1E8744511C9EB1C9148|"; distance: 4; within: 77; sid: 2009001283; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX Modifier v01x]"; flow: established,to_client; content: "|50BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|5783CD|"; distance: 4; within: 7; sid: 2009001284; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX Protector v10x]"; flow: established,to_client; content: "|EBEC|"; content: "|8A064688074701DB7507|"; distance: 4; within: 14; sid: 2009001285; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX v103 - v104 Modified]"; flow: established,to_client; content: "|01DB|"; content: "|078B1E83EEFC11DB8A07|"; distance: 1; within: 11; content: "|EBB80100000001DB|"; distance: 1; within: 9; content: "|078B1E83EEFC11DB11C001DB73EF|"; distance: 1; within: 15; sid: 2009001286; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upx v12 - Marcus Lazlo]"; flow: established,to_client; content: "|60BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|5783CDFFEB05A401DB75078B1E83EEFC11DB72F231C04001DB75078B1E83EEFC11DB11C001DB75078B1E83EEFC11DB73E631C983|"; distance: 4; within: 56; sid: 2009001287; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Upx-Lock 10 - 12 -- CyberDoom Team-X BoB BobSoft]"; flow: established,to_client; content: "|60E8000000005D81ED4812400060E82B03000061|"; sid: 2009001288; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX-SCRAMBLER 306 - OnToL]"; flow: established,to_client; content: "|E8000000005983C10751C3C3BE|"; content: "|83EC04893424B9800000008136|"; distance: 4; within: 17; content: "|50B80400000050033424585883E903E2E9EBD6|"; distance: 4; within: 23; sid: 2009001289; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX-Scrambler RC v1x]"; flow: established,to_client; content: "|9061BE|"; content: "|8DBE|"; distance: 4; within: 6; content: "|5783CDFF|"; distance: 4; within: 8; sid: 2009001290; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX-Shit v01 - 500mhz]"; flow: established,to_client; content: "|E8000000005E83C614AD89C7AD89C1AD300747E2FBADFFE0C300|"; content: "|00|"; distance: 2; within: 3; content: "|00|"; distance: 3; within: 4; content: "|01|"; distance: 3; within: 4; content: "|005550582D536869742076302E31202D207777772E626C61636B6C6F6769632E6E6574202D20636F6465206279|"; distance: 3; within: 48; sid: 2009001291; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX-Shit v01 - 500mhz]"; flow: established,to_client; content: "|E8000000005E83C614AD89C7AD89C1AD300747E2FBADFFE0C300|"; content: "|00|"; distance: 2; within: 3; content: "|00|"; distance: 3; within: 4; content: "|005550582D536869742076302E31202D207777772E626C61636B6C6F6769632E6E6574202D20636F6465206279|"; distance: 7; within: 52; sid: 2009001292; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPX-Shit v01 - 500mhz]"; flow: established,to_client; content: "|E8|"; content: "|5E83C6|"; distance: 4; within: 7; content: "|AD89C7AD89C1AD300747E2|"; distance: 1; within: 12; content: "|ADFFE0C3|"; distance: 1; within: 5; sid: 2009001293; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPXcrypter - archphaseNWC]"; flow: established,to_client; content: "|BF|"; content: "|0081FF|"; distance: 3; within: 6; content: "|007410812F|"; distance: 3; within: 8; content: "|00000083C704BB05|"; distance: 1; within: 9; content: "|00FFE3BE|"; distance: 2; within: 6; content: "|00FFE600000000|"; distance: 3; within: 10; sid: 2009001294; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPXFreak v01 (Borland Delphi) - HMX0101]"; flow: established,to_client; content: "|BE|"; content: "|83C601FFE6000000|"; distance: 4; within: 12; content: "|0003000000|"; distance: 3; within: 8; content: "|001000000000|"; distance: 4; within: 10; content: "|0000|"; distance: 4; within: 6; content: "|F6|"; distance: 1; within: 2; content: "|00B24F4500|"; distance: 1; within: 6; content: "|F9|"; distance: 1; within: 2; content: "|00EF4F4500|"; distance: 1; within: 6; content: "|F6|"; distance: 1; within: 2; content: "|008CD14200|"; distance: 1; within: 6; content: "|56|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|24|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|00|"; distance: 3; within: 4; sid: 2009001295; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPXFreak v01 (Borland Delphi) - HMX0101]"; flow: established,to_client; content: "|BE|"; content: "|83C601FFE6000000|"; distance: 4; within: 12; content: "|0003000000|"; distance: 3; within: 8; content: "|001000000000|"; distance: 4; within: 10; content: "|0000|"; distance: 4; within: 6; content: "|F6|"; distance: 1; within: 2; content: "|00B24F4500|"; distance: 1; within: 6; content: "|F9|"; distance: 1; within: 2; content: "|00EF4F4500|"; distance: 1; within: 6; content: "|F6|"; distance: 1; within: 2; content: "|008CD14200|"; distance: 1; within: 6; content: "|56|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|24|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|0034504500|"; distance: 3; within: 8; content: "|00FFFF0000|"; distance: 3; within: 8; content: "|24|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|24|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|00400000C00000|"; distance: 3; within: 10; content: "|0000|"; distance: 4; within: 6; content: "|000000|"; distance: 1; within: 4; content: "|1E|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|F7|"; distance: 1; within: 2; content: "|00A64E4300|"; distance: 1; within: 6; content: "|56|"; distance: 1; within: 2; content: "|00ADD14200|"; distance: 1; within: 6; content: "|F7|"; distance: 1; within: 2; content: "|00A1D24200|"; distance: 1; within: 6; content: "|56|"; distance: 1; within: 2; content: "|000B4D4300|"; distance: 1; within: 6; content: "|F7|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|F7|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|56|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|000000|"; distance: 5; within: 8; content: "|77|"; distance: 7; within: 8; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 3; within: 4; content: "|77|"; distance: 3; within: 4; content: "|0000|"; distance: 2; within: 4; content: "|00|"; distance: 3; within: 4; content: "|0000|"; distance: 6; within: 8; content: "|00|"; distance: 3; within: 4; content: "|00|"; distance: 11; within: 12; content: "|00000000|"; distance: 4; within: 8; content: "|00|"; distance: 3; within: 4; sid: 2009001296; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPXFreak V01 - HMX0101]"; flow: established,to_client; content: "|BE|"; content: "|83C601FFE60000|"; distance: 4; within: 11; sid: 2009001297; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[UPXShit 006]"; flow: established,to_client; content: "|B8|"; content: "|4300B915000000803408|"; distance: 2; within: 12; content: "|E2FAE9D6FFFFFF|"; distance: 1; within: 8; sid: 2009001298; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[USERNAME v300]"; flow: established,to_client; content: "|FB2E|"; content: "|2E|"; distance: 4; within: 5; content: "|2E|"; distance: 4; within: 5; content: "|2E|"; distance: 4; within: 5; content: "|8CC82BC18BC82E|"; distance: 4; within: 11; content: "|2E|"; distance: 4; within: 5; content: "|33C08ED8060E07FC33F6|"; distance: 4; within: 14; sid: 2009001299; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VBOX v42 MTE]"; flow: established,to_client; content: "|8CE00BC58CE00BC403C5740074008BC5|"; sid: 2009001300; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VcAsm Protector - VcAsm]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64A1000000005064892500000000E803000000C7840058EB01E983C00750C3|"; distance: 4; within: 35; sid: 2009001301; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VcAsm Protector V10X- VcAsm]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64A1000000005064892500000000E803000000|"; distance: 4; within: 23; sid: 2009001302; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vcasm Protector V1X - vcasm]"; flow: established,to_client; content: "|EB|"; content: "|5B5650726F746563745D|"; distance: 1; within: 11; sid: 2009001303; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vcasm-Protector 10]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|0068|"; distance: 3; within: 5; content: "|0064A1000000005064892500000000E803000000C7840058EB01E983C00750C3FF35E803000000C7840058EB01E983C00750C3FF35E807000000C78383C013EB0B58EB02CD2083|"; distance: 3; within: 74; sid: 2009001304; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vcasm-Protector 10e - vcasm]"; flow: established,to_client; content: "|EB0A5B5650726F746563745D|"; sid: 2009001305; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vcasm-Protector 11 - 12 - vcasm]"; flow: established,to_client; content: "|EB0B5B5650726F746563745D|"; sid: 2009001306; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[vfpexeNc V500 - Wang JianGuo]"; flow: established,to_client; content: "|60E8000000005D|"; content: "|5064FF350000000064892500000000CC|"; distance: 12; within: 28; sid: 2009001307; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[vfpexeNc v600 - Wang JianGuo]"; flow: established,to_client; content: "|60E8010000006358E8010000007A582D0D1040008D90C110400052508D80491040005D508D85651040005064FF350000000064892500000000CC|"; sid: 2009001308; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Video-Lan-Client]"; flow: established,to_client; content: "|5589E583EC08|"; content: "|FFFF|"; distance: 15; within: 17; sid: 2009001309; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Video-Lan-Client - (UnknownCompiler)]"; flow: established,to_client; content: "|5589E583EC08|"; content: "|FFFF|"; distance: 15; within: 17; content: "|00|"; distance: 19; within: 20; content: "|00|"; distance: 7; within: 8; sid: 2009001310; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Virogen Crypt v075]"; flow: established,to_client; content: "|9C55E8EC00000087D55D6087D580BD1527400001|"; sid: 2009001311; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Virogens PE Shrinker v014]"; flow: established,to_client; content: "|9C55E8|"; content: "|87D55D6087D58D|"; distance: 4; within: 11; content: "|8D|"; distance: 5; within: 6; content: "|5756AD0BC074|"; distance: 5; within: 11; sid: 2009001312; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VOB ProtectCD]"; flow: established,to_client; content: "|5F81EF|"; content: "|BE|"; distance: 4; within: 5; content: "|40|"; distance: 2; within: 3; content: "|8B87|"; distance: 1; within: 3; content: "|03C657568CA7|"; distance: 4; within: 10; content: "|FF108987|"; distance: 4; within: 8; content: "|5E5F|"; distance: 4; within: 6; sid: 2009001313; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VProtector 10X - vcasm]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|68|"; distance: 4; within: 5; content: "|64A1000000005064892500000000E803000000C7840058EB01E983C00750C3FF35E803000000C7840058EB01E983C00750C3FF35E807000000C78383C013EB0B58EB02CD2083C002EB01E950C3E8B904000000E81F000000EBFAE816000000E9EBF8000058EB090F25E8F2FFFFFF0FB94975F1EB05EBF9EBF0D6EB010F31F0EB0C33C8EB03EB090F59740575F851EBF1E8160000008B5C240C8BA3C4000000648F050000000083C404EB1464FF35000000006489250000000033C999F7F1E9E8050000|"; distance: 4; within: 199; sid: 2009001314; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VProtector 11X - vcasm]"; flow: established,to_client; content: "|EB0B5B5650726F746563745D00E8240000008B4424048B003D0400008075088B642408EB0458EB0CE9648F050000000074F375F1EB2464FF3500000000EB12FF9C74037501E9810C24000100009D90EBF464892500000000EBE6E8160000008B5C240C8BA3C4000000648F050000000083C404EB1464FF35000000006489250000000033C999F7F1E9E803000000C7840058EB01E983C00750C3FF35E8160000008B5C240C8BA3C4000000648F050000000083C404EB1464FF35000000006489250000000033C999F7F1E9E803000000C7840058EB01E983C00750C3|"; sid: 2009001315; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[vprotector 12 - vcasm]"; flow: established,to_client; content: "|EB0B5B5650726F746563745D00E8240000008B4424048B003D0400008075088B642408EB0458EB0CE9648F050000000074F375F1EB2464FF3500000000EB12FF9C74037501E9810C24000100009D90EBF464892500|"; sid: 2009001316; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[vprotector 12 - vcasm]"; flow: established,to_client; content: "|EB0B5B5650726F746563745D00E8240000008B4424048B003D0400008075088B642408EB0458EB0CE9648F050000000074F375F1EB2464FF3500000000EB12FF9C74037501E9810C24000100009D90EBF464892500000000EBE6E8160000008B5C240C8BA3C4000000648F050000000083C404EB1464FF35000000006489250000000033C999F7F1E9E803000000C7840058EB01E983C00750C3FF35E8160000008B5C240C8BA3C4000000648F050000000083C404EB1464FF35000000006489250000000033C999F7F1E9E803000000C7840058EB01E983C00750C3FF3533F6E8100000008B642408648F050000000058EB13C78364FF350000000064892500000000ADCD20E8050000000F01EB05E8EBFB000083C404E8080000000F0183C0|"; sid: 2009001317; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VProtector 13X - vcasm]"; flow: established,to_client; content: "|E9B9160000558BEC81EC74040000576800000000680000C21468FFFF000068|"; content: "|9C81|"; distance: 4; within: 6; content: "|9D54FF14246800000000680000C21068|"; distance: 10; within: 26; content: "|9C81|"; distance: 4; within: 6; content: "|9D54FF1424680000000068|"; distance: 10; within: 21; content: "|9C81|"; distance: 4; within: 6; content: "|9D54FF1424680000000068FFFFC21068|"; distance: 10; within: 26; content: "|9C81|"; distance: 4; within: 6; content: "|9D54FF1424680000000068|"; distance: 10; within: 21; content: "|9C81|"; distance: 4; within: 6; content: "|9D54FF14246800000000680000C21468FFFF000068|"; distance: 10; within: 31; content: "|9C81|"; distance: 4; within: 6; content: "|9D54FF1424680000000068|"; distance: 10; within: 21; content: "|9C81|"; distance: 4; within: 6; content: "|9D54FF14246800000000|"; distance: 10; within: 20; sid: 2009001318; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VProtector V10 [Build 20041213] test - vcasm]"; flow: established,to_client; content: "|558BEC6AFF681A894000685689400064A1000000005064892500000000E803000000C7840058EB01E983C00750|"; sid: 2009001319; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VProtector V10A - vcasm]"; flow: established,to_client; content: "|558BEC6AFF688A8E400068C68E400064A1000000005064892500000000E803000000C7840058EB01E983C00750|"; sid: 2009001320; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VProtector V10B - vcasm]"; flow: established,to_client; content: "|558BEC6AFF68CA374100680638410064A1000000005064892500000000E803000000C7840058EB01E983C00750|"; sid: 2009001321; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VProtector V10D - vcasm]"; flow: established,to_client; content: "|558BEC6AFF68CA314100680632410064A1000000005064892500000000E803000000C7840058EB01E983C00750|"; sid: 2009001322; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VProtector V10E - vcasm]"; flow: established,to_client; content: "|EB0A5B5650726F746563745DE8240000008B4424048B003D0400008075088B642408EB0458EB0CE9648F050000000074F375F1EB2464FF3500000000|"; sid: 2009001323; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VProtector V11 - vcasm]"; flow: established,to_client; content: "|B81AED4100B9ECEB41005051E874000000E8516A00005883E810B9B3000000|"; sid: 2009001324; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VProtector V11A - vcasm]"; flow: established,to_client; content: "|EB0B5B5650726F746563745D00E8240000008B4424048B003D0400008075088B642408EB0458EB0CE9648F0500000000|"; sid: 2009001325; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vterminal V10X - Lei Peng]"; flow: established,to_client; content: "|E8000000005805|"; content: "|9C50C20400|"; distance: 4; within: 9; sid: 2009001326; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx ACME (Clonewar Mutant)]"; flow: established,to_client; content: "|FCAD3DFFFF7420E6428AC4E642E4610C03E661ADB9401FE2FE|"; sid: 2009001327; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx ARCV4]"; flow: established,to_client; content: "|E800005D81ED060181FC4F50740B8DB68601BF000157A4EB111E06|"; sid: 2009001328; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx August 16th (Iron Maiden)]"; flow: established,to_client; content: "|BA790203D7B41ACD21B82435CD215F57899D4E028C855002|"; sid: 2009001329; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Backfont900]"; flow: established,to_client; content: "|E8|"; content: "|B430CD213C03|"; distance: 2; within: 8; content: "|B8|"; distance: 2; within: 3; content: "|BA|"; distance: 2; within: 3; content: "|CD2181FA|"; distance: 2; within: 6; content: "|BA|"; distance: 4; within: 5; content: "|8CC0488EC08ED880|"; distance: 2; within: 10; content: "|5A|"; distance: 3; within: 4; content: "|03|"; distance: 2; within: 3; content: "|408ED880|"; distance: 3; within: 7; content: "|5A|"; distance: 3; within: 4; content: "|83|"; distance: 2; within: 3; sid: 2009001330; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Caz1204]"; flow: established,to_client; content: "|E8|"; content: "|5E83EE031E06B8FFFFCD2F3C10|"; distance: 2; within: 15; sid: 2009001331; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx CIH Version 12 TTIT ( WIN95CIH )]"; flow: established,to_client; content: "|558D|"; content: "|33DB648703E8|"; distance: 3; within: 9; content: "|5B8D|"; distance: 4; within: 6; sid: 2009001332; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Compiler]"; flow: established,to_client; content: "|8CC383C3102E011E|"; content: "|022E031E|"; distance: 1; within: 5; content: "|02531E|"; distance: 1; within: 4; sid: 2009001333; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Danish tiny]"; flow: established,to_client; content: "|33C9B44ECD217302FF|"; content: "|BA|"; distance: 1; within: 2; content: "|00B8|"; distance: 1; within: 3; content: "|3DCD21|"; distance: 1; within: 4; sid: 2009001334; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Doom666]"; flow: established,to_client; content: "|E8|"; content: "|5E83EE|"; distance: 3; within: 6; content: "|B8CF7BCD213DCF7B|"; distance: 1; within: 9; content: "|0E1F81C6|"; distance: 2; within: 6; content: "|BF|"; distance: 2; within: 3; content: "|B9|"; distance: 2; within: 3; content: "|FCF3A4061F06B8|"; distance: 2; within: 9; content: "|50CBB448BB2C00CD21|"; distance: 2; within: 11; sid: 2009001335; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Eddie1028]"; flow: established,to_client; content: "|E8|"; content: "|5EFC83|"; distance: 2; within: 5; content: "|81|"; distance: 2; within: 3; content: "|4D5A|"; distance: 3; within: 5; content: "|FA8BE681C4|"; distance: 2; within: 7; content: "|FB3B|"; distance: 2; within: 4; content: "|5006561EB8FE4BCD2181FFBB55|"; distance: 5; within: 18; content: "|07|"; distance: 2; within: 3; content: "|07B449CD21BBFFFFB448CD21|"; distance: 3; within: 15; sid: 2009001336; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Eddie1530]"; flow: established,to_client; content: "|E8|"; content: "|5E81EE|"; distance: 2; within: 5; content: "|FC2E|"; distance: 2; within: 4; content: "|4D5A|"; distance: 4; within: 6; content: "|FA8BE681C4|"; distance: 2; within: 7; content: "|FB3B|"; distance: 2; within: 4; content: "|2E|"; distance: 5; within: 6; content: "|5006561E33C0501FC4|"; distance: 4; within: 13; content: "|2E|"; distance: 3; within: 4; content: "|2E|"; distance: 4; within: 5; sid: 2009001337; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Eddie1800]"; flow: established,to_client; content: "|E8|"; content: "|5E81EE|"; distance: 2; within: 5; content: "|FC2E|"; distance: 2; within: 4; content: "|4D5A|"; distance: 4; within: 6; content: "|FA8BE681C4|"; distance: 2; within: 7; content: "|FB3B|"; distance: 2; within: 4; content: "|5006561E8BFE33C0508ED8C4|"; distance: 5; within: 17; content: "|2E|"; distance: 3; within: 4; content: "|2E|"; distance: 4; within: 5; sid: 2009001338; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Eddie2000]"; flow: established,to_client; content: "|E8|"; content: "|5E81EE|"; distance: 2; within: 5; content: "|FC2E|"; distance: 2; within: 4; content: "|2E|"; distance: 4; within: 5; content: "|4D5A|"; distance: 4; within: 6; content: "|FA8BE681C4|"; distance: 2; within: 7; content: "|FB3B|"; distance: 2; within: 4; content: "|5006561E8BFE33C0508ED8C5|"; distance: 5; within: 17; content: "|B430CD21|"; distance: 3; within: 7; sid: 2009001339; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Eddie2100]"; flow: established,to_client; content: "|E8|"; content: "|4F4F0EE8|"; distance: 2; within: 6; content: "|47471EFF|"; distance: 2; within: 6; content: "|CBE8|"; distance: 2; within: 4; content: "|84C0|"; distance: 2; within: 4; content: "|505356571E06B451CD218EC3|"; distance: 2; within: 14; content: "|8BF2B42FCD21AC|"; distance: 7; within: 14; sid: 2009001340; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Eddiebased1745]"; flow: established,to_client; content: "|E8|"; content: "|5E81EE|"; distance: 2; within: 5; content: "|FC|"; distance: 2; within: 3; content: "|2E|"; distance: 1; within: 2; content: "|4D5A|"; distance: 4; within: 6; content: "|FA|"; distance: 2; within: 3; content: "|8BE681|"; distance: 1; within: 4; content: "|FB|"; distance: 3; within: 4; content: "|3B|"; distance: 1; within: 2; content: "|5006|"; distance: 5; within: 7; content: "|561E8BFE33C0|"; distance: 1; within: 7; content: "|508ED8|"; distance: 1; within: 4; sid: 2009001341; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Einstein]"; flow: established,to_client; content: "|0042CD217231B96E0333D2B440CD2172193BC17515B80042|"; sid: 2009001342; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Explosion1000]"; flow: established,to_client; content: "|E8|"; content: "|5E1E065081|"; distance: 2; within: 7; content: "|56FCB82135CD212E|"; distance: 3; within: 11; content: "|2E|"; distance: 4; within: 5; content: "|26|"; distance: 4; within: 5; content: "|74|"; distance: 6; within: 7; content: "|8CD8488ED8|"; distance: 1; within: 6; sid: 2009001343; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx FaxFreeTopo]"; flow: established,to_client; content: "|FA0633C08EC0B8|"; content: "|26|"; distance: 2; within: 3; content: "|508CC826|"; distance: 4; within: 8; content: "|50CC589D5826|"; distance: 4; within: 10; content: "|5826|"; distance: 4; within: 6; content: "|07FB|"; distance: 4; within: 6; sid: 2009001344; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Gotcha879]"; flow: established,to_client; content: "|E8|"; content: "|5B81EB|"; distance: 2; within: 5; content: "|9CFC2E|"; distance: 2; within: 5; content: "|8CD805|"; distance: 7; within: 10; content: "|2E|"; distance: 2; within: 3; content: "|502E|"; distance: 4; within: 6; content: "|8BC305|"; distance: 6; within: 9; content: "|8BF0BF0001B92000F3A40EB8000150B8DADACD21|"; distance: 2; within: 22; sid: 2009001345; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Grazie883]"; flow: established,to_client; content: "|1E0E1F5006BF7003B41ABA7003CD21B447B200BE3204CD21|"; sid: 2009001346; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx GRUNT2Family]"; flow: established,to_client; content: "|48E2F7C3515352E8DDFF5A5B59C3B90000E2FEC3|"; sid: 2009001347; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx GRUNT4Family]"; flow: established,to_client; content: "|E81C008D9E4101403E8B961403B9EA0087DBF7D0311783C302E2F7C3|"; sid: 2009001348; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Hafen1641]"; flow: established,to_client; content: "|E8|"; content: "|01|"; distance: 2; within: 3; content: "|CECC25|"; distance: 3; within: 6; content: "|25|"; distance: 2; within: 3; content: "|25|"; distance: 2; within: 3; content: "|4051D4|"; distance: 2; within: 5; content: "|CC47CA|"; distance: 3; within: 6; content: "|468ACC4488CC|"; distance: 2; within: 8; sid: 2009001349; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Hafen809]"; flow: established,to_client; content: "|E8|"; content: "|1C|"; distance: 2; within: 3; content: "|81EE|"; distance: 1; within: 3; content: "|501E068CC88ED80633C08EC026|"; distance: 2; within: 15; content: "|073D|"; distance: 3; within: 5; sid: 2009001350; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Haryanto]"; flow: established,to_client; content: "|81EB2A018B0F1E5B03CB0E51B9100151CB|"; sid: 2009001351; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Heloween1172]"; flow: established,to_client; content: "|E8|"; content: "|5E81EE|"; distance: 2; within: 5; content: "|5650060E1F8CC001|"; distance: 2; within: 10; content: "|01|"; distance: 2; within: 3; content: "|80|"; distance: 2; within: 3; content: "|8B|"; distance: 4; within: 5; content: "|A3|"; distance: 2; within: 3; content: "|8A|"; distance: 2; within: 3; content: "|A2|"; distance: 2; within: 3; content: "|B8|"; distance: 2; within: 3; content: "|CD213D|"; distance: 2; within: 5; sid: 2009001352; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Horse1776]"; flow: established,to_client; content: "|E8|"; content: "|5D83|"; distance: 2; within: 4; content: "|061E26|"; distance: 2; within: 5; content: "|BF|"; distance: 4; within: 5; content: "|1E0E1F8BF701EEB9|"; distance: 2; within: 10; content: "|FCF3A61F1E07|"; distance: 2; within: 8; sid: 2009001353; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Hymn1865]"; flow: established,to_client; content: "|E8|"; content: "|5E83EE4CFC2E|"; distance: 2; within: 8; content: "|4D5A|"; distance: 4; within: 6; content: "|FA8BE681|"; distance: 2; within: 6; content: "|FB3B|"; distance: 3; within: 5; content: "|2E|"; distance: 5; within: 6; content: "|5006561E0E1FB800C5CD21|"; distance: 5; within: 16; sid: 2009001354; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Igor]"; flow: established,to_client; content: "|1EB8CD7BCD2181FBCD7B7503E9870033DB0E1F8C|"; sid: 2009001355; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx KBDflags1024]"; flow: established,to_client; content: "|8BEC2E892E2403BC00048CD52E892E22|"; sid: 2009001356; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Keypress1212]"; flow: established,to_client; content: "|E8|"; content: "|E8|"; distance: 2; within: 3; content: "|E8|"; distance: 2; within: 3; content: "|E8|"; distance: 2; within: 3; content: "|E8|"; distance: 4; within: 5; content: "|E8|"; distance: 4; within: 5; content: "|EA|"; distance: 4; within: 5; content: "|1E33DB8EDBBB|"; distance: 4; within: 10; sid: 2009001357; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Kuku448]"; flow: established,to_client; content: "|AE75EDE2F8893E|"; content: "|BA|"; distance: 2; within: 3; content: "|0E07BF|"; distance: 2; within: 5; content: "|EB|"; distance: 2; within: 3; sid: 2009001358; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Kuku886]"; flow: established,to_client; content: "|061E508CC88ED8BA7003B82425CD21|"; content: "|90B42FCD2153|"; distance: 5; within: 11; sid: 2009001359; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Modification of Hi924]"; flow: established,to_client; content: "|505351521E069CB82135CD2153BB|"; content: "|26|"; distance: 2; within: 3; content: "|49485B|"; distance: 2; within: 5; sid: 2009001360; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx MTE (non-encrypted)]"; flow: established,to_client; content: "|F7D980E1FE7502494997A3|"; content: "|03C124FE750248|"; distance: 2; within: 9; sid: 2009001361; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Ncu-Li1688]"; flow: established,to_client; content: "|0E1EB855AACD213D494C74|"; content: "|0E0E1F07E8|"; distance: 1; within: 6; sid: 2009001362; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Necropolis]"; flow: established,to_client; content: "|50FCAD33C2AB8BD0E2F8|"; sid: 2009001363; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Necropolis1963]"; flow: established,to_client; content: "|B430CD213C03|"; content: "|B80012CD2F3CFFB8|"; distance: 2; within: 10; content: "|B44ABB4001CD21|"; distance: 4; within: 11; content: "|FA0E17BC|"; distance: 2; within: 6; content: "|E8|"; distance: 2; within: 3; content: "|FBA1|"; distance: 2; within: 4; content: "|0BC0|"; distance: 2; within: 4; sid: 2009001364; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Noon1163]"; flow: established,to_client; content: "|E8|"; content: "|5B5056B4CBCD213C07|"; distance: 2; within: 11; content: "|81|"; distance: 2; within: 3; content: "|2E|"; distance: 3; within: 4; content: "|4D5A|"; distance: 2; within: 4; content: "|BF000189DEFC|"; distance: 2; within: 8; sid: 2009001365; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx November 17768]"; flow: established,to_client; content: "|E8|"; content: "|5E81EE|"; distance: 2; within: 5; content: "|5033C08ED8803E|"; distance: 2; within: 9; content: "|0E1F|"; distance: 3; within: 5; content: "|FC|"; distance: 2; within: 3; sid: 2009001366; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Number One]"; flow: established,to_client; content: "|F9073C536D696C653EE8|"; sid: 2009001367; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Phoenix927]"; flow: established,to_client; content: "|E800005E81C6|"; content: "|BF0001B90400F3A4E8|"; distance: 2; within: 11; sid: 2009001368; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Predator2448]"; flow: established,to_client; content: "|0E1FBF|"; content: "|B8|"; distance: 2; within: 3; content: "|B9|"; distance: 2; within: 3; content: "|49|"; distance: 2; within: 3; content: "|2AC14F4F|"; distance: 4; within: 8; content: "|F9CC|"; distance: 2; within: 4; sid: 2009001369; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Quake518]"; flow: established,to_client; content: "|1E068CC88ED8|"; content: "|B82135CD2181|"; distance: 7; within: 13; sid: 2009001370; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx SK]"; flow: established,to_client; content: "|CD20B80300CD1051E800005E83EE09|"; sid: 2009001371; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Slowload]"; flow: established,to_client; content: "|03D6B440CD21B8024233D233C9CD218BD6B97801|"; sid: 2009001372; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Sonik Youth]"; flow: established,to_client; content: "|8A1602008A0732C2880743FEC281FB|"; sid: 2009001373; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Spanz]"; flow: established,to_client; content: "|E800005E81EE|"; content: "|8D94|"; distance: 2; within: 4; content: "|B41ACD21C784|"; distance: 2; within: 8; sid: 2009001374; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx SYP]"; flow: established,to_client; content: "|478BC2051E00528BD0B8023DCD218BD85A|"; sid: 2009001375; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[VX TibsZhelatin StormWorm variant]"; flow: established,to_client; content: "|FF74241C588D80|"; content: "|7704506862343504E8|"; distance: 2; within: 11; sid: 2009001376; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx TravJack883]"; flow: established,to_client; content: "|EB|"; content: "|9C9E26|"; distance: 1; within: 4; content: "|5104|"; distance: 2; within: 4; content: "|7D|"; distance: 1; within: 2; content: "|00|"; distance: 1; within: 2; content: "|2E|"; distance: 1; within: 2; content: "|8CC88EC08ED880|"; distance: 4; within: 11; content: "|74|"; distance: 4; within: 5; content: "|8A|"; distance: 1; within: 2; content: "|BB|"; distance: 3; within: 4; content: "|8A|"; distance: 2; within: 3; content: "|32C288|"; distance: 1; within: 4; content: "|FEC24381|"; distance: 1; within: 5; sid: 2009001377; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Trivial25]"; flow: established,to_client; content: "|B44EFEC6CD21B8|"; content: "|3DBA|"; distance: 1; within: 3; content: "|00CD2193B440CD|"; distance: 1; within: 8; sid: 2009001378; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Trivial46]"; flow: established,to_client; content: "|B44EB120BA|"; content: "|CD21BA|"; distance: 2; within: 5; content: "|B8|"; distance: 2; within: 3; content: "|3DCD21|"; distance: 1; within: 4; sid: 2009001379; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx TrojanTelefoon]"; flow: established,to_client; content: "|601EE83B01BFCC012E033ECA012EC705|"; sid: 2009001380; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx Uddy2617]"; flow: established,to_client; content: "|2E|"; content: "|2E|"; distance: 5; within: 6; content: "|2E|"; distance: 5; within: 6; content: "|8CC88ED88C|"; distance: 3; within: 8; content: "|2B|"; distance: 3; within: 4; content: "|03|"; distance: 3; within: 4; content: "|A3|"; distance: 3; within: 4; content: "|A1|"; distance: 2; within: 3; content: "|A3|"; distance: 2; within: 3; content: "|A1|"; distance: 2; within: 3; content: "|A3|"; distance: 2; within: 3; content: "|8CC82B|"; distance: 2; within: 5; content: "|03|"; distance: 3; within: 4; content: "|A3|"; distance: 3; within: 4; content: "|B8AB9CCD2F3D7698|"; distance: 2; within: 10; sid: 2009001381; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx VCL]"; flow: established,to_client; content: "|ACB90080F2AEB90400ACAE75|"; content: "|E2FA89|"; distance: 1; within: 4; sid: 2009001382; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx VCL (encrypted)]"; flow: established,to_client; content: "|01B9|"; content: "|8134|"; distance: 2; within: 4; content: "|4646E2F8C3|"; distance: 2; within: 7; sid: 2009001383; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx VCL (encrypted)]"; flow: established,to_client; content: "|01B9|"; content: "|8135|"; distance: 2; within: 4; content: "|4747E2F8C3|"; distance: 2; within: 7; sid: 2009001384; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx VirusConstructor(IVP)based]"; flow: established,to_client; content: "|E9|"; content: "|E8|"; distance: 2; within: 3; content: "|5D|"; distance: 2; within: 3; content: "|81ED|"; distance: 5; within: 7; content: "|E8|"; distance: 6; within: 7; content: "|81FC|"; distance: 2; within: 4; content: "|8D|"; distance: 4; within: 5; content: "|BF|"; distance: 3; within: 4; content: "|57A4A5|"; distance: 2; within: 5; sid: 2009001385; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx VirusConstructorbased]"; flow: established,to_client; content: "|BB|"; content: "|B9|"; distance: 2; within: 3; content: "|2E|"; distance: 2; within: 3; content: "|4343|"; distance: 4; within: 6; content: "|8BECCC8B|"; distance: 2; within: 6; content: "|81|"; distance: 2; within: 3; content: "|061EB8|"; distance: 3; within: 6; content: "|CD213D|"; distance: 2; within: 5; content: "|8CD8488ED8|"; distance: 4; within: 9; sid: 2009001386; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx VirusConstructorbased]"; flow: established,to_client; content: "|E8|"; content: "|5D81|"; distance: 2; within: 4; content: "|061EE8|"; distance: 3; within: 6; content: "|E8|"; distance: 2; within: 3; content: "|2E|"; distance: 4; within: 5; content: "|B44ABBFFFFCD2183|"; distance: 6; within: 14; content: "|B44ACD21|"; distance: 2; within: 6; sid: 2009001387; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx XPEH4768]"; flow: established,to_client; content: "|E8|"; content: "|5B81|"; distance: 2; within: 4; content: "|5056572E|"; distance: 3; within: 7; content: "|2E|"; distance: 5; within: 6; content: "|B8010050B8|"; distance: 6; within: 11; content: "|50E8|"; distance: 2; within: 4; sid: 2009001388; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Vx XRCV1015]"; flow: established,to_client; content: "|E8|"; content: "|5E83|"; distance: 2; within: 4; content: "|53511E06B499CD2180FC21|"; distance: 2; within: 13; content: "|33C0508CD8488EC01FA1|"; distance: 5; within: 15; content: "|8B|"; distance: 2; within: 3; sid: 2009001389; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[W32Jeefo (PE File Infector)]"; flow: established,to_client; content: "|5589E583EC0883C4F46A02A1C8|"; content: "|FFD0E8|"; distance: 3; within: 6; content: "|C9C3|"; distance: 4; within: 6; sid: 2009001390; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WARNING - TROJAN - ADinjector]"; flow: established,to_client; content: "|9061BE002044008DBE00F0FBFFC7879CE004006AF08A5E5783CDFFEB0E|"; sid: 2009001391; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WARNING - TROJAN - HuiGeZi]"; flow: established,to_client; content: "|558BEC81C4|"; content: "|FEFFFF53565733C08985|"; distance: 1; within: 11; content: "|FEFFFF|"; distance: 1; within: 4; sid: 2009001392; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WARNING - TROJAN - RobinPE]"; flow: established,to_client; content: "|606A006A206A026A006A0368000000|"; sid: 2009001393; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WARNING - TROJAN - XiaoHui]"; flow: established,to_client; content: "|609CE8000000005DB8|"; content: "|8540002D|"; distance: 1; within: 5; content: "|854000|"; distance: 1; within: 4; sid: 2009001394; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Warning may be SimbyOZ polycryptor by 3xpl01t ver 2xx (25032007 2200)]"; flow: established,to_client; content: "|57578D7C240450B800D01713AB585FC30000|"; sid: 2009001395; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WebCops [DLL] - LINK Data Security]"; flow: established,to_client; content: "|A8BE58DCD6CCC4634A0FE002BBCEF35C5023FB62E73D2B|"; sid: 2009001396; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WebCops [EXE] - LINK Data Security]"; flow: established,to_client; content: "|EB0305EB02EBFC55EB03EB0405EBFBEB53E80400000072|"; sid: 2009001397; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Werus Crypter 10 - by Kas]"; flow: established,to_client; content: "|BBE8124000803305E97DFFFFFF|"; sid: 2009001398; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WIBU-Key V410A - httpwibucomus]"; flow: established,to_client; content: "|F705|"; content: "|FF0000007512|"; distance: 4; within: 10; sid: 2009001399; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Wind of Crypt 10 - by DarkPressure]"; flow: established,to_client; content: "|558BEC83C4EC53|"; content: "|8945ECB864400010E828EAFFFF33C05568CE51001064|"; distance: 4; within: 26; content: "|206A0068800000006A036A006A0168000000808D55EC33C0E8F6DBFFFF8B45ECE812E7FFFF50E83CEAFFFF8BD883FBFF0F84A60000006A0053E841EAFFFF8BF081EE005E00006A006A0068005E000053E852EAFFFFB8F49700108BD6E82EE7FFFFB8F89700108BD6E822E7FFFF8BC6E8ABD8FFFF8BF86A0068F097001056A1F49700105053E805EAFFFF53E8CFE9FFFFB8FC970010BAE8510010E874EAFFFFA1F497001085C0740583E8048B0050B9F8970010B8FC9700108B15F4970010E8D8EAFFFFB8FC970010E85AEBFFFF8BCE8B15F89700108BC7E8EBE9FFFF8BC785C07405E8E4EBFFFF33C05A595964891068D55100108D45ECE8BBE5FFFFC3E9A9DFFFFFEBF05F5E5BE8B7E4FFFF000000FFFFFFFF0A000000635A6C5630556C6B704D|"; distance: 4; within: 293; sid: 2009001400; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Winkript v10]"; flow: established,to_client; content: "|33C08BB800|"; content: "|8B9004|"; distance: 3; within: 6; content: "|85FF741B33C950EB0C8A0439C0C804341B880439413BCA72F058|"; distance: 3; within: 29; sid: 2009001401; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WinKript v10 - Mr Crimson]"; flow: established,to_client; content: "|33C08BB800|"; content: "|8B9004|"; distance: 3; within: 6; content: "|85FF741B33C950EB0C8A0439C0C804341B880439413BCA72F05883C008EBD561E9|"; distance: 3; within: 36; content: "|00000000000000000000000000000000000000000000000000000000000000000000|"; distance: 4; within: 38; sid: 2009001402; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WinRAR 32-bit SFX Module]"; flow: established,to_client; content: "|E9|"; content: "|000000000000909090|"; distance: 2; within: 11; content: "|00|"; distance: 6; within: 7; content: "|00|"; distance: 1; within: 2; content: "|FF|"; distance: 5; within: 6; sid: 2009001403; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WinUpack v039 final (relocated image base) - By Dwing (c)2005 (h2)]"; flow: established,to_client; content: "|60E809000000|"; content: "|00E90602000033C95E870EE3F42BF18BDEAD2BD8AD03C35097AD91F3A55EAD5691011EADE2FBAD8D6E10015D008D7D1CB5|"; distance: 3; within: 52; content: "|F3AB5EAD53505197588D54855CFF1672572C037302B0003C0772|"; distance: 1; within: 27; sid: 2009001404; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WinUpack v039 final - By Dwing (c)2005 (h1)]"; flow: established,to_client; content: "|BEB011|"; content: "|AD50FF7634EB7C4801|"; distance: 2; within: 11; content: "|0B014C6F61644C696272617279410000181000001000000000|"; distance: 2; within: 27; content: "|0000|"; distance: 3; within: 5; content: "|00100000000200000400000000003900040000000000000000|"; distance: 2; within: 27; content: "|0002000000000000|"; distance: 3; within: 11; sid: 2009001405; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WinZip (32-bit) 6x]"; flow: established,to_client; content: "|FF15FC814000B12238087402B120408038007410|"; sid: 2009001406; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WinZip 32-bit SFX v6x module]"; flow: established,to_client; content: "|FF15|"; content: "|00B12238087402B120408038007410380874064080380075F680380074014033C9|"; distance: 3; within: 36; content: "|FF15|"; distance: 4; within: 6; sid: 2009001407; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WinZip 32-bit SFX v8x module]"; flow: established,to_client; content: "|53FF15|"; content: "|00B3223818740380C3FE8A48014033D23ACA740A3ACB74068A480140EBF23810740140|"; distance: 3; within: 38; content: "|FF15|"; distance: 4; within: 6; sid: 2009001408; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WinZip Self-Extractor 22 personal edition - WinZip Computing]"; flow: established,to_client; content: "|53FF1558704000B3223818740380C3FE4033D28A083ACA74103ACB7407408A083ACA75F5381074014052505252FF155C70400050E815FBFFFF50FF158C7040005B|"; sid: 2009001409; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Wise Installer Stub]"; flow: established,to_client; content: "|558BEC81EC780500005356BE04010000578D8594FDFFFF5633DB5053FF15342040008D8594FDFFFF56508D8594FDFFFF50FF15302040008B3D2C20400053536A03536A018D8594FDFFFF680000008050FFD783F8FF|"; sid: 2009001410; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Wise Installer Stub]"; flow: established,to_client; content: "|558BEC81EC|"; content: "|0400005356576A|"; distance: 1; within: 8; content: "|FF15|"; distance: 7; within: 9; content: "|4000|"; distance: 2; within: 4; content: "|80|"; distance: 56; within: 57; content: "|20|"; distance: 1; within: 2; sid: 2009001411; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Wise Installer Stub v11010291]"; flow: established,to_client; content: "|558BEC81EC400F00005356576A04FF15F4304000FF15743040008A088945E880F92275488A4801408945E833F684C9740E80F92274098A4801408945E8EBEE8038227504408945E880382075094080382074FA8945|"; sid: 2009001412; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v300 v301 (Extractable)]"; flow: established,to_client; content: "|B8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|516A|"; distance: 2; within: 4; content: "|06068CD383|"; distance: 1; within: 6; content: "|536A|"; distance: 2; within: 4; content: "|FC|"; distance: 1; within: 2; sid: 2009001413; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v300 v301 (Relocations pack)]"; flow: established,to_client; content: "|BE|"; content: "|BA|"; distance: 2; within: 3; content: "|BF|"; distance: 2; within: 3; content: "|B9|"; distance: 2; within: 3; content: "|8CCD8EDD81ED|"; distance: 2; within: 8; content: "|06068BDD2BDA8BD3FC|"; distance: 2; within: 11; sid: 2009001414; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v302 v302a (Extractable)]"; flow: established,to_client; content: "|B8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|5133C9B1|"; distance: 2; within: 6; content: "|510606BB|"; distance: 1; within: 5; content: "|538CD3|"; distance: 2; within: 5; sid: 2009001415; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v302 v302a v304 (Relocations pack)]"; flow: established,to_client; content: "|BE|"; content: "|BF|"; distance: 2; within: 3; content: "|B9|"; distance: 2; within: 3; content: "|8CCD81ED|"; distance: 2; within: 6; content: "|8BDD81EB|"; distance: 2; within: 6; content: "|8BD3FCFA1E8EDB011533C02EAC|"; distance: 2; within: 15; sid: 2009001416; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v303]"; flow: established,to_client; content: "|B8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|51B9|"; distance: 2; within: 4; content: "|510606BB|"; distance: 2; within: 6; content: "|53|"; distance: 2; within: 3; sid: 2009001417; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v305c4 (Extr Passwcheck Vir shield)]"; flow: established,to_client; content: "|0305C01AB8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|51B9|"; distance: 2; within: 4; content: "|510606B1|"; distance: 2; within: 6; content: "|518CD3|"; distance: 1; within: 4; sid: 2009001418; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v305c4 (Extractable Password checking)]"; flow: established,to_client; content: "|0305801AB8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|51B9|"; distance: 2; within: 4; content: "|510606B1|"; distance: 2; within: 6; content: "|518CD3|"; distance: 1; within: 4; sid: 2009001419; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v305c4 (Extractable Virus Shield)]"; flow: established,to_client; content: "|0305401AB8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|51B9|"; distance: 2; within: 4; content: "|510606B1|"; distance: 2; within: 6; content: "|518CD3|"; distance: 1; within: 4; sid: 2009001420; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v305c4 (Extractable)]"; flow: established,to_client; content: "|0305001AB8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|51B9|"; distance: 2; within: 4; content: "|510606B1|"; distance: 2; within: 6; content: "|518CD3|"; distance: 1; within: 4; sid: 2009001421; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v305c4 (Modified)]"; flow: established,to_client; content: "|B8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|51B9|"; distance: 2; within: 4; content: "|510606B1|"; distance: 2; within: 6; content: "|518CD3|"; distance: 1; within: 4; sid: 2009001422; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v305c4 (Unextr Passwcheck Vir shield)]"; flow: established,to_client; content: "|0305C01BB8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|51B9|"; distance: 2; within: 4; content: "|510606B1|"; distance: 2; within: 6; content: "|518CD3|"; distance: 1; within: 4; sid: 2009001423; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v305c4 (Unextractable Password checking)]"; flow: established,to_client; content: "|0305801BB8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|51B9|"; distance: 2; within: 4; content: "|510606B1|"; distance: 2; within: 6; content: "|518CD3|"; distance: 1; within: 4; sid: 2009001424; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v305c4 (Unextractable Virus Shield)]"; flow: established,to_client; content: "|0305401BB8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|51B9|"; distance: 2; within: 4; content: "|510606B1|"; distance: 2; within: 6; content: "|518CD3|"; distance: 1; within: 4; sid: 2009001425; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPACK v305c4 (Unextractable)]"; flow: established,to_client; content: "|0305001BB8|"; content: "|8CCA03D08CC981C1|"; distance: 2; within: 10; content: "|51B9|"; distance: 2; within: 4; content: "|510606B1|"; distance: 2; within: 6; content: "|518CD3|"; distance: 1; within: 4; sid: 2009001426; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPack32 v100 v111 v112 v120]"; flow: established,to_client; content: "|53558BE833DBEB600D0A0D0A57575061636B3332|"; sid: 2009001427; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[WWPack32 v1x]"; flow: established,to_client; content: "|53558BE833DBEB60|"; sid: 2009001428; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[X-Hider 10 - GlobaL]"; flow: established,to_client; content: "|558BEC83C4EC33C08945ECB854204444E8DFF8FFFF33C055680821444464FF306489208D55ECB81C214444E8E0F9FFFF8B55ECB840|"; content: "|44E88BF5FFFF6A006A006A026A006A016800000040A140|"; distance: 2; within: 25; content: "|44E87EF6FFFF50E84CF9FFFF6A0050E84CF9FFFFA328|"; distance: 2; within: 24; content: "|44E8CEFEFFFF33C05A5959648910680F2144448D45ECE8F1F4FFFFC3E9BBF2FFFFEBF0E8FCF3FFFFFFFFFFFF0E000000633A5C303030303030312E64617400|"; distance: 2; within: 65; sid: 2009001429; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[X-PEOR v099b]"; flow: established,to_client; content: "|E8000000005D8BCD81ED7A29400089AD0F6D4000|"; sid: 2009001430; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[X-PEOR v099b]"; flow: established,to_client; content: "|E8|"; content: "|5D8BCD81ED7A2940|"; distance: 4; within: 12; content: "|89AD0F6D40|"; distance: 1; within: 6; sid: 2009001431; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[XCR v012]"; flow: established,to_client; content: "|609CE8|"; content: "|8BDD5D81ED|"; distance: 4; within: 9; content: "|899D|"; distance: 4; within: 6; sid: 2009001432; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[XCR v013]"; flow: established,to_client; content: "|937108|"; content: "|8BD878E2|"; distance: 8; within: 12; content: "|9C33C3|"; distance: 4; within: 7; content: "|6079CE|"; distance: 4; within: 7; content: "|E801|"; distance: 4; within: 6; content: "|83C404E8ABFFFFFF|"; distance: 4; within: 12; content: "|2BE8|"; distance: 4; within: 6; content: "|03C5FF30|"; distance: 4; within: 8; content: "|C6|"; distance: 4; within: 5; content: "|EB|"; distance: 1; within: 2; sid: 2009001433; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[XJ XPAL - LiNSoN]"; flow: established,to_client; content: "|558BEC6AFF68|"; content: "|400068|"; distance: 2; within: 5; content: "|400064A100000000506489250000000083EC44535657669C|"; distance: 2; within: 26; sid: 2009001434; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[XPack 152 - 164]"; flow: established,to_client; content: "|8BECFA33C08ED0BC|"; content: "|2E|"; distance: 2; within: 3; content: "|2E|"; distance: 4; within: 5; content: "|EB|"; distance: 4; within: 5; sid: 2009001435; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[XPack 167]"; flow: established,to_client; content: "|B88CD3153375813EE80F009AE8F9FF9A9CEB019A5980CD01519DEB|"; sid: 2009001436; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[xPEP 03x - xIkUg]"; flow: established,to_client; content: "|555356515257E816000000|"; sid: 2009001437; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Xtreme-Protector v105]"; flow: established,to_client; content: "|E9|"; content: "|0000000000000000|"; distance: 2; within: 10; sid: 2009001438; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Xtreme-Protector v106]"; flow: established,to_client; content: "|B8|"; content: "|00B975|"; distance: 3; within: 6; content: "|005051E805000000E94A010000608B7424248B7C2428FCB2808A0646880747BB0200000002D275058A164612D273EA02D275058A164612D2734F33C002D275058A164612D20F83DF00000002|"; distance: 2; within: 78; sid: 2009001439; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[XXPack 01 - bagie]"; flow: established,to_client; content: "|E8040000008360EB0C5DEB054555EB04B8EBF900C3E8000000005DEB010081ED5E1F4000EB0283098DB5EF1F4000EB028309BAA3110000EB006800|"; content: "|C3|"; distance: 3; within: 4; sid: 2009001440; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[y0das Crypter v10]"; flow: established,to_client; content: "|60E8000000005D81EDE71A4000E8A1000000E8D1000000E885010000F785|"; sid: 2009001441; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[y0das Crypter v11]"; flow: established,to_client; content: "|60E8000000005D81ED8A1C4000B99E0000008DBD4C2340008BF733|"; sid: 2009001442; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[y0das Crypter v12]"; flow: established,to_client; content: "|60E8000000005D81EDF31D4000B97B0900008DBD3B1E40008BF7AC|"; content: "|AAE2CC|"; distance: 48; within: 51; sid: 2009001443; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[y0das Crypter v1x Modified]"; flow: established,to_client; content: "|60E8000000005D81ED|"; content: "|B9|"; distance: 4; within: 5; content: "|00008DBD|"; distance: 2; within: 6; content: "|8BF7AC|"; distance: 4; within: 7; sid: 2009001444; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Crypter 13 - Ashkbiz Danehkar]"; flow: established,to_client; content: "|558BEC53565760E8000000005D81ED6C284000B95D34400081E9C62840008BD581C2C62840008D3A8BF733C0EB0490EB01C2AC|"; sid: 2009001445; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector 102 - 103 - Ashkbiz Danehkar]"; flow: established,to_client; content: "|E803000000EB01|"; content: "|BB55000000E803000000EB01|"; distance: 1; within: 13; content: "|E88F000000E803000000EB01|"; distance: 1; within: 13; content: "|E882000000E803000000EB01|"; distance: 1; within: 13; content: "|E8B8000000E803000000EB01|"; distance: 1; within: 13; content: "|E8AB0000|"; distance: 1; within: 5; sid: 2009001446; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector 102 - Ashkibiz Danehlar]"; flow: established,to_client; content: "|E803000000EB01|"; content: "|BB55000000E803000000EB01|"; distance: 1; within: 13; content: "|E88F000000E803000000EB01|"; distance: 1; within: 13; content: "|E882000000E803000000EB01|"; distance: 1; within: 13; content: "|E8B8000000E803000000EB01|"; distance: 1; within: 13; content: "|E8AB000000E803000000EB01|"; distance: 1; within: 13; content: "|83FB55E803000000EB01|"; distance: 1; within: 11; content: "|75|"; distance: 1; within: 2; sid: 2009001447; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector 10x - Ashkbiz Danehkar]"; flow: established,to_client; content: "|558BEC535657E803000000EB01|"; sid: 2009001448; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector v101 - Ashkbiz Danehkar]"; flow: established,to_client; content: "|558BEC535657E803000000EB01|"; content: "|E886000000E803000000EB01|"; distance: 1; within: 13; content: "|E879000000E803000000EB01|"; distance: 1; within: 13; content: "|E8A4000000E803000000EB01|"; distance: 1; within: 13; content: "|E897000000E803000000EB01|"; distance: 1; within: 13; content: "|E82D000000E803000000EB01|"; distance: 1; within: 13; content: "|60E800000000|"; distance: 1; within: 7; sid: 2009001449; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector V101 - Ashkbiz Danehkar]"; flow: established,to_client; content: "|558BEC535657E803000000EB01|"; content: "|E886000000E803000000EB01|"; distance: 1; within: 13; content: "|E879000000E803000000EB01|"; distance: 1; within: 13; content: "|E8A4000000E803000000EB01|"; distance: 1; within: 13; content: "|E897000000E803000000EB01|"; distance: 1; within: 13; content: "|E82D000000E803000000EB01|"; distance: 1; within: 13; content: "|60E8000000005D81EDD5E441008BD581C223E5410052E801000000C3C3E803000000EB01|"; distance: 1; within: 37; content: "|E80E000000E8D1FFFFFFC3E803000000EB01|"; distance: 1; within: 19; content: "|33C064FF30648920CCC3E803000000EB01|"; distance: 1; within: 18; content: "|33C064FF30648920CCC3|"; distance: 1; within: 11; sid: 2009001450; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector V102 - Ashkbiz Danehkar]"; flow: established,to_client; content: "|E803000000EB01|"; content: "|BB55000000E803000000EB01|"; distance: 1; within: 13; content: "|E88F000000E803000000EB01|"; distance: 1; within: 13; content: "|E882000000E803000000EB01|"; distance: 1; within: 13; content: "|E8B8000000E803000000EB01|"; distance: 1; within: 13; content: "|E8AB000000E803000000EB01|"; distance: 1; within: 13; content: "|83FB55E803000000EB01|"; distance: 1; within: 11; content: "|752EE803000000EB01|"; distance: 1; within: 10; content: "|C360E8000000005D81ED233F42008BD581C2723F420052E801000000C3C3E803000000EB01|"; distance: 1; within: 38; content: "|E80E000000E8D1FFFFFFC3E803000000EB01|"; distance: 1; within: 19; content: "|33C064FF30648920CCC3E803000000EB01|"; distance: 1; within: 18; content: "|33C064FF306489204BCCC3E803000000EB01|"; distance: 1; within: 19; content: "|33DBB93A66420081E91D4042008BD581C21D4042008D3A8BF733C0E803000000EB01|"; distance: 1; within: 35; content: "|E817000000909090E9C31F000033C064FF3064892043CCC3|"; distance: 1; within: 25; sid: 2009001451; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector V1031 - Ashkbiz Danehkar]"; flow: established,to_client; content: "|E803000000EB01|"; content: "|BB55000000E803000000EB01|"; distance: 1; within: 13; content: "|E88F000000E803000000EB01|"; distance: 1; within: 13; content: "|E882000000E803000000EB01|"; distance: 1; within: 13; content: "|E8B8000000E803000000EB01|"; distance: 1; within: 13; content: "|E8AB000000E803000000EB01|"; distance: 1; within: 13; content: "|83FB55E803000000EB01|"; distance: 1; within: 11; content: "|752EE803000000EB01|"; distance: 1; within: 10; content: "|C360E8000000005D81ED747242008BD581C2C372420052E801000000C3C3E803000000EB01|"; distance: 1; within: 38; content: "|E80E000000E8D1FFFFFFC3E803000000EB01|"; distance: 1; within: 19; content: "|33C064FF30648920CCC3E803000000EB01|"; distance: 1; within: 18; content: "|33C064FF306489204BCCC3E803000000EB01|"; distance: 1; within: 19; content: "|33DBB93FA9420081E96E7342008BD581C26E7342008D3A8BF733C0E803000000EB01|"; distance: 1; within: 35; content: "|E817000000909090E9982E000033C064FF3064892043CCC3|"; distance: 1; within: 25; sid: 2009001452; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector V1032 - Ashkbiz Danehkar]"; flow: established,to_client; content: "|E803000000EB01|"; content: "|BB55000000E803000000EB01|"; distance: 1; within: 13; content: "|E88F000000E803000000EB01|"; distance: 1; within: 13; content: "|E882000000E803000000EB01|"; distance: 1; within: 13; content: "|E8B8000000E803000000EB01|"; distance: 1; within: 13; content: "|E8AB000000E803000000EB01|"; distance: 1; within: 13; content: "|83FB55E803000000EB01|"; distance: 1; within: 11; content: "|752EE803000000EB01|"; distance: 1; within: 10; content: "|C360E8000000005D81ED947342008BD581C2E373420052E801000000C3C3E803000000EB01|"; distance: 1; within: 38; content: "|E80E000000E8D1FFFFFFC3E803000000EB01|"; distance: 1; within: 19; content: "|33C064FF30648920CCC3E803000000EB01|"; distance: 1; within: 18; content: "|33C064FF306489204BCCC3E803000000EB01|"; distance: 1; within: 19; content: "|33DBB9BFA4420081E98E7442008BD581C28E7442008D3A8BF733C0E803000000EB01|"; distance: 1; within: 35; content: "|E817000000909090E96329000033C064FF3064892043CCC3|"; distance: 1; within: 25; sid: 2009001453; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[Yodas Protector v1032 Beta2 - Ashkbiz Danehkar]"; flow: established,to_client; content: "|E803000000EB01|"; content: "|BB55000000E803000000EB01|"; distance: 1; within: 13; content: "|E88F000000E803000000EB01|"; distance: 1; within: 13; content: "|E882000000E803000000EB01|"; distance: 1; within: 13; content: "|E8B8000000|"; distance: 1; within: 6; sid: 2009001454; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector v1033 (exescrcom) - Ashkbiz Danehkar]"; flow: established,to_client; content: "|E803000000EB01|"; content: "|BB55000000E803000000EB01|"; distance: 1; within: 13; content: "|E88E000000E803000000EB01|"; distance: 1; within: 13; content: "|E881000000E803000000EB01|"; distance: 1; within: 13; content: "|E8B7000000E803000000EB01|"; distance: 1; within: 13; content: "|E8AA000000E803000000EB01|"; distance: 1; within: 13; content: "|83FB55E803000000EB01|"; distance: 1; within: 11; content: "|75|"; distance: 1; within: 2; sid: 2009001455; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector V1033 - Ashkbiz Danehkar]"; flow: established,to_client; content: "|E803000000EB01|"; content: "|BB55000000E803000000EB01|"; distance: 1; within: 13; content: "|E88E000000E803000000EB01|"; distance: 1; within: 13; content: "|E881000000E803000000EB01|"; distance: 1; within: 13; content: "|E8B7000000E803000000EB01|"; distance: 1; within: 13; content: "|E8AA000000E803000000EB01|"; distance: 1; within: 13; content: "|83FB55E803000000EB01|"; distance: 1; within: 11; content: "|752DE803000000EB01|"; distance: 1; within: 10; content: "|60E8000000005D81ED07E240008BD581C256E2400052E801000000C3C3E803000000EB01|"; distance: 1; within: 37; content: "|E80E000000E8D1FFFFFFC3E803000000EB01|"; distance: 1; within: 19; content: "|33C064FF30648920CCC3E803000000EB01|"; distance: 1; within: 18; content: "|33C064FF306489204BCCC3|"; distance: 1; within: 12; sid: 2009001456; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yodas Protector v10b - Ashkbiz Danehkar]"; flow: established,to_client; content: "|558BEC53565760E8000000005D81ED4C324000E803000000EB01|"; content: "|B9EA47400081E9E93240008BD581C2E93240008D3A8BF733C0E80400000090EB01|"; distance: 1; within: 34; content: "|E803000000EB01|"; distance: 1; within: 8; sid: 2009001457; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yzpack 112 - UsAr]"; flow: established,to_client; content: "|5A52456083EC188BEC8BFC33C0648B4030780C8B400C8B701CAD8B4008EB098B403483C07C8B403CABE9|"; content: "|B409BA00001FCD21B8014CCD2140000000504500004C010200|"; distance: 4; within: 29; content: "|0000000000000000E000|"; distance: 4; within: 14; content: "|0B01|"; distance: 2; within: 4; content: "|0000|"; distance: 4; within: 6; sid: 2009001458; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[YZPack 12 -- UsAr]"; flow: established,to_client; content: "|4D5A52456083EC188BEC8BFC33C0648B4030780C8B400C8B701CAD8B4008EB098B403483C07C8B403CABE9|"; sid: 2009001459; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yzpack 20 - UsAr]"; flow: established,to_client; content: "|25|"; content: "|6187CC5545455581EDCA00000055A4B302FF142473F833C9FF1424731833C0FF1424731FB30241B010FF142412C073F9753CAAEBDCFF5424042BCB750FFF542408EB27ACD1E8743013C9EB1B9148C1E008ACFF5424083D007D0000730A80FC05730683F87F77024141958BC5B301568BF72BF0F3A45EEB99BD|"; distance: 4; within: 125; content: "|FF6528|"; distance: 4; within: 7; sid: 2009001460; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[yzpack V11 - UsAr]"; flow: established,to_client; content: "|6033C08D480750E2FD8BEC648B4030780C8B400C8B701CAD8B4008EB098B40348D407C8B403C894504E8F3070000608B5D048B733C8B74337803F3568B762003F333C9499241AD03C35233FF0FB61038F2|"; sid: 2009001461; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZCode Win32PE Protector v101]"; flow: established,to_client; content: "|E912000000|"; content: "|E9FBFFFFFFC368|"; distance: 12; within: 19; content: "|64FF35|"; distance: 4; within: 7; sid: 2009001462; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZealPack 10 - Zeal]"; flow: established,to_client; content: "|C745F400004000C745F0|"; content: "|8B45F405|"; distance: 4; within: 8; content: "|8945F4C745FC00000000EB098B4DFC83C101894DFC8B55FC3B55F07D228B45F40345FC8A08884DF80FBE55F883F20F8855F88B45F40345FC8A4DF88808EBCDFF65F4|"; distance: 4; within: 70; sid: 2009001463; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[ZipWorxSecureEXE v25 - ZipWORX Technologies LLC]"; flow: established,to_client; content: "|E9B8000000|"; content: "|0000000000|"; distance: 12; within: 17; content: "|005365637572654558452045786563757461626C652046696C652050726F746563746F720D0A436F70797269676874286329203230|"; distance: 10; within: 63; sid: 2009001464; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH]]"; flow: established,to_client; content: "|60EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB0181E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB0181E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB018183C404E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4083DFF0F0000EB0168EB02CD20EB01E8761BEB0168EB02CD20EB01E8CC66B8FE0074047502EB02EB018166E764E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB0181|"; sid: 2009001465; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v01 - emadicius]"; flow: established,to_client; content: "|60EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB0181E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB0181E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB018183C404E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4083DFF0F0000EB0168EB02CD20EB01E8761BEB0168EB02CD20EB01E8CC66B8FE0074047502EB02EB018166E764E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C408|"; sid: 2009001466; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v031a]"; flow: established,to_client; content: "|60D1CB0FCAC1CAE0D1CA0FC8EB01F10FC0C9D2D10FC1C0D3DAC0D6A8EB01DED0EC0FC1CBD0CF0FC1D1D2DB0FC8EB01BCC0E9C6C1D0910FCBEB01730FCA87D987D2D0CF87D90FC8EB01C1EB01A286CAD0E10FC0CB0FCAC0C7910FCBC1D90C86F986D7D1D9EB01A5EB0111EB011D0FC1C20FCB0FC1C2EB01A1C0E9FD0FC1D1EB01E30FCA87D9EB01F30FCB87C20FC0F9D0F7EB012F0FC9C0DCC4EB01350FCAD3D186C8EB01010FC0F587C8D0DEEB0195EB01E1EB01FDEB01EC87D30FCBC1DB35D3E20FC886E286ECC1FB12D2EE0FC9D2F60FCA87C3C1D3B3EB01BFD1CB87C90FCA0FC1DBEB0144C0CAF20FC1D10FCBEB01D3EB05E8EB044000EBFAE80A000000|"; sid: 2009001467; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake BJFNT 13) - emadicius]"; flow: established,to_client; content: "|EB033A4D3A1EEB02CD209CEB02CD20EB02CD2060EB02C705EB02CD20E803000000E9EB04584050C3619D1FEB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB01|"; sid: 2009001468; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake ASPack 211d) - emadicius]"; flow: established,to_client; content: "|60E802000000EB095D5581ED39394400C361EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001469; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake ASPack 212) - emadicius]"; flow: established,to_client; content: "|60E803000000E9EB045D4555C3E801000000EB5DBBEDFFFFFF03DD81EB00A002EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001470; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake EXE32Pack 13x) - emadicius]"; flow: established,to_client; content: "|3BC074028183553BC074028183533BC97401BC563BD27402818557E8000000003BDB74019083C414EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001471; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake Microsoft Visual C) - emadicius]"; flow: established,to_client; content: "|558BEC6AFF68CA374100680638410064A1000000005064892500000000648F050000000083C40C5DEB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB01|"; sid: 2009001472; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake MSVC 60 DLL) - emadicius]"; flow: established,to_client; content: "|558BEC538B5D08568B750C578B7D1085F65F5E5B5DEB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001473; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake MSVC 70 DLL Method 3) - emadicius]"; flow: established,to_client; content: "|558BEC538B5D08568B750C5E5B5DEB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001474; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake MSVC DLL Method 4) - emadicius]"; flow: established,to_client; content: "|558BEC5657BF010000008B750C85F65F5E5DEB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001475; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake Neolite 20) - emadicius]"; flow: established,to_client; content: "|E9A6000000B07B4000786040007C60400000000000B03F0000126240004E656F4C6974652045786563757461626C652046696C6520436F6D70726573736F720D0A436F707972696768742028632920313939382C31393939204E656F576F727820496E630D0A506F7274696F6E7320436F707972696768742028632920313939372D31393939204C65652048617369756B0D0A416C6C205269676874732052657365727665642E00000000EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB01|"; sid: 2009001476; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake nSPack 13) - emadicius]"; flow: established,to_client; content: "|9C60E8000000005DB8B38540002DAC8540002BE88DB5D3FEFFFF8B0683F80074118DB5DFFEFFFF8B0683F8010F84F1010000619DEB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB01|"; sid: 2009001477; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake PC-Guard 4xx) - emadicius]"; flow: established,to_client; content: "|FC5550E8000000005DEB01E360E803000000D2EB0B58EB014840EB0135FFE0E761585DEB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001478; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake PE Crypt 102) - emadicius]"; flow: established,to_client; content: "|E8000000005B83EB05EB04524E442185C07302F70550E808000000EAFF58EB18EB010FEB02CD20EB03EACD205858EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001479; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake PE Lock NT 204) - emadicius]"; flow: established,to_client; content: "|EB03CD20C71EEB03CD20EA9CEB02EB01EB01EB60EB03CD20EBEB01EBE803000000E9EB04584050C3EB03CD20EBEB03CD2003619D83C404EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001480; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake PEBundle 02 - 3x) - emadicius]"; flow: established,to_client; content: "|9C60E80200000033C08BC483C004938BE38B5BFC81EB0730400087DD619DEB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001481; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake PEBundle 20x - 24x) - emadicius]"; flow: established,to_client; content: "|9C60E80200000033C08BC483C004938BE38B5BFC81EB0730400087DD83BD9C38400001619DEB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001482; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake PECompact 14x) - emadicius]"; flow: established,to_client; content: "|EB06682EA80000C39C60E80200000033C08BC483C004938BE38B5BFC81EB3F904000619DEB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001483; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake PESHiELD 025) - emadicius]"; flow: established,to_client; content: "|60E82B0000000D0A0D0A0D0A5265676973744172656420746F3A204E4F4E2D434F4D4D45524349414C21210D0A0D0A0D005861EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001484; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake PEtite 21) - emadicius]"; flow: established,to_client; content: "|B8005040006A0068BB21400064FF350000000064892500000000669C605083C40461669D648F050000000083C408EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001485; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake PEX 099) - emadicius]"; flow: established,to_client; content: "|60E801000000E883C404E801000000E95D81EDFF22400061EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB01|"; sid: 2009001486; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake SVKP 111) - emadicius]"; flow: established,to_client; content: "|60E8000000005D81ED0600000064A02300000083C50661EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB01|"; sid: 2009001487; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake UPX 0896 - 102 105 - 124) - emadicius]"; flow: established,to_client; content: "|60BE00908B008DBE0080B4FF5783CDFFEB3A9090909090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB730B75198B1E83EEFC11DB7210586190EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001488; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake WWPack32 1x) - emadicius]"; flow: established,to_client; content: "|53558BE833DBEB600D0A0D0A57575061636B3332206465636F6D7072657373696F6E20726F7574696E652076657273696F6E20312E31320D0A28632920313939382050696F747220576172657A616B20616E6420526166616C20576965727A6269636B690D0A0D0A5D5B90EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001489; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a (fake yodas cryptor 12) - emadicius]"; flow: established,to_client; content: "|60E8000000005D81EDF31D4000B97B0900008DBD3B1E40008BF7AC902C8AC0C078900462EB010061EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF|"; sid: 2009001490; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v032a - emadicius]"; flow: established,to_client; content: "|E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018174047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB018183C404E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4083DFFFFFF00EB0168EB02CD20EB01E8761BEB0168EB02CD20EB01E8CC66B8FE0074047502EB02EB018166E76474047502EB02EB0181E80A000000E8EB0C|"; sid: 2009001491; rev: 1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[[MSLRH] v32a - emadicius]"; flow: established,to_client; content: "|EB05E8EB044000EBFAE80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB0181E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB018150E802000000295A586BC003E802000000295A83C4045874047502EB02EB01810F31500F31E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4082B042474047502EB02EB018183C404E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C4083DFF0F0000EB0168EB02CD20EB01E8761BEB0168EB02CD20EB01E8CC66B8FE0074047502EB02EB018166E764E80A000000E8EB0C0000E8F6FFFFFFE8F2FFFFFF83C40874047502EB02EB01810F31500F31|"; sid: 2009001492; rev: 1;)