rule webc2_greencat : apt { strings: $a = "shell" $b = "getf/putf FileName " $c = "kill " $d = "list " condition: filesize < 100KB and (4 of ($a,$b,$c,$d)) }