REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Network Instruments\Observer\Filters\(Hack) Net BUS 2]
"FilterBuffer"=hex:c2,00,00,00,06,00,00,00,17,00,4b,00,1f,00,1e,00,00,cf,01,06,\
  00,3a,30,00,00,00,00,00,00,00,00,2c,00,00,00,00,00,1f,00,00,92,15,00,01,00,\
  01,00,06,00,01,00,00,00,00,00,06,4e,65,74,42,75,73,01,00,02,00,01,0d,00,00,\
  00,02,02,10,00,17,00,90,00,62,00,1e,00,00,52,02,06,00,3a,30,00,00,00,00,00,\
  00,00,00,2e,00,00,00,00,00,1f,00,00,4c,11,00,01,00,01,00,02,00,01,0d,00,00,\
  00,02,02,10,00,01,00,06,00,01,00,00,00,00,01,08,47,65,74,49,6e,66,6f,0d,17,\
  00,00,00,a7,00,1e,00,00,63,01,06,00,3a,30,00,00,01,00,00,04,00,00,1b,00,00,\
  00,00,00,1f,00,00,cb,00,00,00,00,01,00,02,00,01,0d,00,00,00,02,02,12,00
"szDescr"="This event may indicate that the Netbus remote administration tool is operating on the server. This legitimate administration tool is often used by attackers as a trojan. "
"RGBValue"=dword:000000ff
"bFilterBasedAlarm"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Network Instruments\Observer\ProtocolPresetsV9]