alert udp $HOME_NET any -> $EXTERNAL_NET 123 (msg:"MALWARE-CNC Win.Trojan.Zeroaccess variant outbound connection"; flow:to_server; content:"GN"; depth:2; metadata:policy security-ips drop, service ntp; classtype:trojan-activity; sid:26932; rev:2; ) I...

alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain counter.yadro.ru"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|counter|05|yadro|02|ru|00|"; fast_pattern:only; metadata:impact_flag red, service dns; refer...

Please explain this rule how it works.   Is it detecting the alert based only on the content "R|00|23".  Please explain how to figure this out.   IPS Rule:   alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wow 23 runtime detection...

IPS RULE: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (sid:1000122; gid:1; flow:established,to_server; content:"SSH-"; depth:4; detection_filter:track by_src, count 30, seconds 60; msg:"Local - BAD-TRAFFIC SSH brute force login attempt"; classtype:Hi...