private rule RookieCode : Rookie Family { meta: description = "Rookie code features" author = "Seth Hardy" last_modified = "2014-06-25" strings: // hidden AutoConfigURL $ = { C6 ?? ?? ?? 41 C6 ?? ?? ?? 75 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 43 C6 ?? ?? ?? 6F C6 ?? ?? ?? 6E C6 ?? ?? ?? 66 } // hidden ProxyEnable $ = { C6 ?? ?? ?? 50 [4] C6 ?? ?? ?? 6F C6 ?? ?? ?? 78 C6 ?? ?? ?? 79 C6 ?? ?? ?? 45 C6 ?? ?? ?? 6E C6 ?? ?? ?? 61 } // xor on rand value? $ = { 8B 1D 10 A1 40 00 [18] FF D3 8A 16 32 D0 88 16 } condition: any of them } private rule RookieStrings : Rookie Family { meta: description = "Rookie Identifying Strings" author = "Seth Hardy" last_modified = "2014-06-25" strings: $ = "RookIE/1.0" condition: any of them } rule Rookie : Family { meta: description = "Rookie" author = "Seth Hardy" last_modified = "2014-06-25" condition: RookieCode or RookieStrings }