rule hoplight {
	meta:
		Author = "CISA trusted 3rd party"
		Incident = "10135536"
		Date = "2019-08-14"
		Category = "Hidden_Cobra"
		Family = "HOPLIGHT"
		Description = "Detects polarSSL certificates"
	strings:
		$polarSSL = "fjiejffndxklfsdkfjsaadiepwn"
		$p1 = { EF CD AB 90 }
		$p2 = { 78 56 B4 C2 }
		$p3 = { 55 84 26 FE }
	condition:
		(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and ($polarSSL and all of ($p*))
}