gistfile1.txt

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Observed Malicious SSL Cert (ElegyRAT)"; flow:established,to_client; tls.cert_subject; content:"CN=ElegyRAT Server"; fast_pattern; endswith; tls.cert_issuer; content:"CN=ElegyRAT Server"; endswith; reference:md5,a24cae9f6cf137e0e72817a1879f0acf; classtype:domain-c2; sid:10000000; rev:1;)