alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE W32/BaneChant.APT Winword.pkg Redirect"; flow:established,to_client; http.stat_code; content:"301"; http.stat_msg; content:"Moved Permanently"; http.location; content:"/update/winword.pkg"; reference:url,www.fireeye.com/blog/technical/malware-research/2013/04/trojan-apt-banechant-in-memory-trojan-that-observes-for-multiple-mouse-clicks.html; classtype:targeted-activity; sid:2016713; rev:3; metadata:created_at 2013_04_04, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_23;)