REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Network Instruments\Observer\Filters\(Hack) Dagger 1.4.0]
"FilterBuffer"=hex:a6,00,00,00,04,00,00,00,17,00,59,00,1f,00,1e,00,00,cb,01,06,\
  00,00,04,00,00,01,00,1d,0a,00,00,3a,00,00,00,00,00,1f,00,00,58,1e,00,02,00,\
  01,00,06,00,01,00,00,00,00,01,0f,0b,00,00,00,07,00,00,00,43,6f,6e,6e,65,63,\
  74,01,00,06,00,02,00,00,1e,00,00,07,43,6f,6e,6e,65,63,74,36,00,00,00,8f,00,\
  1f,00,00,a5,1f,00,01,00,01,00,06,00,01,00,00,00,00,01,10,32,00,00,00,06,00,\
  00,00,44,72,69,76,65,73,24,00,01,00,02,00,01,0d,00,00,00,02,02,10,00,17,00,\
  00,00,00,00,1e,00,00,9b,01,06,00,1d,0a,00,00,01,00,00,04,00,00
"szDescr"="This event indicates that a remote user has attempted to connect to a dagger 1.4.0 trojan server running on Windows. This connection attempt may indicate an existing compromise. The target server should be checked for infection."
"RGBValue"=dword:000000ff
"bFilterBasedAlarm"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Network Instruments\Observer\ProtocolPresetsV9]