Why doesn't this rule trigger?

Hello. I am trying to trigger this rule, found in the emerging trojan rule file:

I have sent a zeus pcap traffic down the wire:

Yet the rule is not broken, no fast.log output is received

Here is my definition of HOMENET and EXTERNALNET variables.

I am very confused.

Here is a pastebin of the traffic I sent.


If you want to specify a single IP address perhaps that should be, instead of a /24. If it was for the whole subnet, then you can use

I have changed that, but still no output to fast.log occurs.

Could you post the entire rule (the image clips the trailing portion of the rule) and a pcap?

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN NgrBot IRC CnC Channel Join"; flow:established,to_server; content:"PASS ngrBot"; content:"NICK"; distance:0; metadata: former_category MALWARE; reference:url,stopmalvertising.com/rootkits/analysis-of-ngrbot.html; classtype:trojan-activity; sid:2013451; rev:3; metadata:created_at 2011_08_23, updated_at 2011_08_23;)

Can you share the pcap?