alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET TROJAN MalDoc/Gamaredon CnC Activity”; flow:established,to_server; content:“OPTIONS”; http_method; content:“/ADMIN-”; http_uri; depth:7; fast_pattern; content:“Microsoft Office Protocol Discovery”; http_user_agent; classtype:trojan-activity; reference:md5,b7fe95ccd715a8dd6eb7519ff15e1fc5; sid:123311; rev:1;)
Kind Regards,
Kevin Ross
