alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING ZIP File Symlink External Attribute Inbound"; flow:established,to_server; flowbits:set,ET.ZIP.Symlink.Inbound; http.request_body; content:"|50 4b 03 04|"; fast_pattern; content:"|50 4b 01 02|"; distance:0; byte_test:2,&,0xa,36,relative,little; reference:url,en.wikipedia.org/wiki/ZIP_(file_format); classtype:attempted-user; sid:2059740; rev:1; metadata:attack_target Web_Server, tls_state TLSDecrypt, created_at 2025_01_29, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2025_01_29; target:dest_ip;)