I had to modify the below to get thru spam filters (thanks gmail):<br><br>On Wed, Oct 12, 2011 at 04:45 PM, Bad Horse <span dir="ltr">&lt;<a href="mailto:b4dh0rs3@gmail.com">b4dh0rs3@gmail.com</a>&gt;</span> wrote:<br><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">I suggest we add this:<br><br>alert tcp $EXTERNAL_NET $HTTP_PORTS -&gt; $HOME_NET any (msg:&quot;ET CURRENT_EVENTS - USPS Spam/Trojan Executable Download&quot;; flow:from_server,established; content:&quot;filename=USPS_Invoice&quot;; http_header; content:&quot;.exe&quot;; distance:0; within:32; http_header; classtype:trojan-activity; reference:url,<a href="http://www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235">www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235</a>; sid:b4dh0rs3_11; rev:1;)<br>

<br>I have tested this and found it to be working as expected. <br><br>On the network activity that prompted this, i see no Referer header on the GET indicating link was clicked on from email.  Full GET URI:<br><br>&lt;removed_thanks_to_gmail_spam_filters;_see_VT_link_for_details&gt;<br>

<br>Some HTTP response headers:<br><br>Content-Disposition: attachment; filename=USPS_Invoice_10112011.PDF.exe<br>Content-Type: application/octet-stream<br><br>Clearly malicious:<br><a href="http://www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235">http://www.virustotal.com/file-scan/report.html?id=41866ac1950b620bd13fb3d6063e3781eaa3bbccb3089b13073abe752d0a6ffa-1318350235</a><br>

<br>Other rules I saw alert on this were PE download rules and ET POLICY SUSPICIOUS *.pdf.exe in HTTP HEADER.<br><br>-B4d H0rs3<br> The Thoroughbred of SYN<br>
</blockquote></div><br>