rule polarSSL_servernames {
	meta:
		Author = "NCCIC trusted 3rd party"
		Incident = "10135536"
		Date = "2018/04/19"
		category = "hidden_cobra"
		family = "n/a"
		description = "n/a"
	strings:
		$polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
		$sn1 = "www.google.com"
		$sn2 = "www.naver.com"
	condition:
		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) - -0x4550) and ($polarSSL and 1 of ($sn*))
}