private rule RooterCode : Rooter Family { meta: description = "Rooter code features" author = "Seth Hardy" last_modified = "2014-07-10" strings: // xor 0x30 decryption $ = { 80 B0 ?? ?? ?? ?? 30 40 3D 00 50 00 00 7C F1 } condition: any of them } private rule RooterStrings : Rooter Family { meta: description = "Rooter Identifying Strings" author = "Seth Hardy" last_modified = "2014-07-10" strings: $group1 = "seed\x00" $group2 = "prot\x00" $group3 = "ownin\x00" $group4 = "feed0\x00" $group5 = "nown\x00" condition: 3 of ($group*) } rule Rooter : Family { meta: description = "Rooter" author = "Seth Hardy" last_modified = "2014-07-10" condition: RooterCode or RooterStrings }