alert http $HOME_NET any -> $EXTERNAL_NET 8000: (msg:"ET MALWARE Malicious Dropper Activity (GET)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dwn/"; startswith; fast_pattern; http.host; pcre:"/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; http.header_names; content:!"Referer"; reference:md5,0e0c65c206e1244987db350f3fefabd6; reference:md5,e31b4fb81764e4dd6bacab9baba266b4; reference:url,www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/; classtype:trojan-activity; sid:2033289; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_07_09, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_07_09;)