REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Network Instruments\Observer\Filters\(Hack) Net BUS 1]
"FilterBuffer"=hex:9a,00,00,00,05,00,00,00,2c,00,4b,00,34,00,1f,00,00,5b,11,00,\
  01,00,01,00,02,00,01,07,00,00,00,02,02,10,00,01,00,06,00,01,00,00,00,00,00,\
  06,4e,65,74,42,75,73,17,00,62,00,00,00,1e,00,00,23,02,06,00,39,30,00,00,00,\
  00,00,00,00,00,17,00,00,00,79,00,1e,00,00,f3,02,06,00,39,30,00,00,00,00,00,\
  00,00,00,17,00,00,00,00,00,1e,00,00,4b,01,06,00,39,30,00,00,00,00,00,00,00,\
  00,21,00,00,00,00,00,1f,00,00,03,00,00,00,00,01,00,06,00,01,00,00,00,00,01,\
  08,47,65,74,49,6e,66,6f,0d
"szDescr"="This event may indicate that the Netbus remote administration tool is operating on the server. This legitimate administration tool is often used by attackers as a trojan. "
"RGBValue"=dword:000000ff
"bFilterBasedAlarm"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Network Instruments\Observer\ProtocolPresetsV9]