Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Malicious Doc Download EXE Primer (flowbits set)"; flow:established,to_server; flowbits:set,ET.MalDocEXEPrimer; flowbits:noalert; http.uri; content:"?id="; content:"&act="; fast_pattern; pcre:"/\.[^\x3F]+\?id=\d+&act=\d+$/"; http.header_names; content:!"|0d 0a|Referer|0d 0a|"; reference:url,fireeye.com/blog/threat-research/2015/04/a_new_word_document.html; classtype:trojan-activity; sid:2020837; rev:7; metadata:created_at 2015_04_03, signature_severity Major, updated_at 2024_03_04;)