Update malware.rules

malware.rules

@@ -22,3 +22,13 @@ reference:url,researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-anal
 classtype:trojan-activity; sid:99999999; rev:1;)
 
 
+*/
+Submitted on 10-Aug-2015
+Rule to detect the new Download pattern seen in Dridex malware
+*/
+alert http $HOME_NET any -> $EXTERNAL_NET any 
+(msg:"ET CURRENT_EVENTS Potential W32/Dridex Alphanumeric Download Pattern"; flow:established,to_server; 
+content:"GET"; http_method; content:".exe"; http_uri; depth:20; content:!"Referer|3A|"; http_header; 
+pcre:"/^\/[a-z0-9]{1,7}\/ [a-z0-9]{1,7}\.exe$/U"; 
+reference:url,blogs.cisco.com/security/dridex-attacks-target-corporate-accounting;
+classtype:trojan-activity; sid:13082015; rev:1;)