alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-FLASH Adobe Flash Player Exploit Kit decryption key detected"; flow:to_client,established; file_data; content:"|74 70 72 72 75 65 73 74 6A 62 61 66 65 69 61 78 66 6A 72 75 73 70 68 6D 6E 78|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2015-5119; reference:url,malware.dontneedcoffee.com/2015/07/hackingteam-flash-0d-cve-2015-xxxx-and.html; classtype:attempted-user; sid:36193; rev:2;)