alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR access remote pc runtime detection - init connection"; flow:to_server,established; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; flowbits:set,AccessRemotePC_detection; flowbits:noalert; classtype:trojan-activity; sid:12142; rev:3;)