Please explain this rule how it works.
Is it detecting the alert based only on the content "R|00|23". Please explain how to figure this out.
IPS Rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wow 23 runtime detection"; flow:to_client,established; content:"R|00|23"; depth:4; detection_filter:track by_src, count 3, seconds 300; metadata:policy security-ips alert; reference:url,www.megasecurity.org/trojans/0_9/23/23_0.3.html; classtype:trojan-activity; sid:10184; rev:6; )