alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED GENERIC Likely Malicious Fake IE Downloading .exe"; flow:established,to_server; http.uri; content:".exe"; fast_pattern; endswith; content:!"download_helper.ns"; http.header; content:!"softdl.360tpcdn.com"; http.user_agent; content:"|20|MSIE|20|"; http.host; content:!"microsoft.com"; content:!"adobe.com"; content:!"360safe.com"; content:!"cfbeta.razersynapse.com"; content:!"download.windowsupdate.com"; content:!"gladmainnew.morningstar.com"; http.connection; content:"close"; nocase; http.header_names; content:!"Accept-Encoding"; content:!"Referer"; classtype:trojan-activity; sid:2018403; rev:16; metadata:created_at 2014_04_22, signature_severity Unknown, updated_at 2022_05_20;)