alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT EITest SocENG Payload DL"; flow:established,to_client; http.header; content:"|3b 20 66 69 6c 65 6e 61 6d 65 3d 43 68 72 ce bf 6d d0 b5 20 66 ce bf 6e e1 b9 ab 2e 65 78 65|"; fast_pattern; nocase; file.data; content:"MZ"; within:2; classtype:social-engineering; sid:2024198; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, deployment Perimeter, malware_family EITest, confidence High, signature_severity Major, updated_at 2024_03_02;)