alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE Possible Stitur Secondary Download"; flow:established,from_server; http.header; content:".file|0d 0a|"; fast_pattern; content:"Content-Description|3a 20|File Transfer|0d 0a|"; content:"Content-Transfer-Encoding|3a 20|binary|0d 0a|"; pcre:"/filename=[a-f0-9]{13}\.file\r\n/"; classtype:trojan-activity; sid:2017700; rev:5; metadata:created_at 2013_11_09, confidence Medium, signature_severity Major, updated_at 2020_09_22;)