alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Fake Java Installer Landing Page Oct 21"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/download.php?id="; content:"&sid="; distance:0; content:"&name=Java|20|Runtime|20|Environment|20|"; distance:0; fast_pattern; pcre:"/^\/[0-9]+\/download\.php\?id=/"; pcre:"/&name=[a-z0-9\x20]+$/i"; reference:url,heimdalsecurity.com/blog/security-alert-blackhat-seo-campaign-passes-around-malware-to-unsuspecting-users; classtype:trojan-activity; sid:2021991; rev:4; metadata:created_at 2015_10_21, signature_severity Major, updated_at 2020_12_10;)