alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED EXE Download Request To Wordpress Folder Likely Malicious"; flow:established,to_server; content:"GET"; http_method; content:"/wp-"; http_uri; content:".exe"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; pcre:"/\.exe(?:\?[0-9])?$/U"; pcre:"/\/wp-(?:content|admin|includes)\//U"; reference:md5,1828f7090d0ad2844d3d665d2f41f911; classtype:trojan-activity; sid:2022239; rev:5; metadata:affected_product Wordpress, affected_product Wordpress_Plugins, attack_target Web_Server, created_at 2015_12_09, deployment Datacenter, signature_severity Major, tag Wordpress, updated_at 2019_07_26;)