alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET HUNTING Dropbox Hosted PDF with an Encoded Filename"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"content-disposition|3a 20|attachment|3b 20|filename=|22|"; nocase; content:"filename*"; distance:0; content:"x-dropbox"; fast_pattern; http.response_body; content:"|25 50 44 46 2D|"; reference:url,developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Disposition; classtype:misc-activity; sid:2068229; rev:1; metadata:attack_target Client_Endpoint, created_at 2026_03_13, deployment Perimeter, performance_impact Moderate, confidence High, signature_severity Informational, updated_at 2026_03_16;)