alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Possible Maldoc Retrieving Dridex from pastebin"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/raw.php?i="; depth:11; fast_pattern; http.host; content:"pastebin.com"; bsize:12; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|Win32|3b 20|WinHttp.WinHttpRequest.5)"; depth:57; http.header_names; content:!"Referer|0d 0a|"; reference:md5,07523de32e43f67b1bbd5edc87803d5c; classtype:trojan-activity; sid:2020892; rev:6; metadata:created_at 2015_04_11, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_05_21;)