alert http $HOME_NET any → $EXTERNAL_NET any (msg:“LOCAL suspicious file delivery from targeted Cloudflare-family host”; flow:to_server,established; http.host; pcre:“/^(?:(?:[A-Za-z0-9-]+.)*trycloudflare.com|(?:[A-Za-z0-9-]+.)*pages.dev|(?:[A-Za-z0-9-]+.)*workers.dev|(?:[A-Za-z0-9-]+.)*r2.dev)$/i”; http.uri; pcre:“/.(?:wsf|py|js|jse|vbs|vbe|bat|cmd|ps1|hta|url)(?:$|[?#&])/i”; reference:url, The Unintentional Enabler: How Cloudflare Services are Abused for Credential Theft and Malware Distribution ; reference:url, Quick Tunnels · Cloudflare One docs ; classtype:trojan-activity; sid:1000001; rev:5;)