Signature
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"NF - Host name with IP address sending exe file"; flow:from_server,established; content:"200"; http_stat_code; content:"|21|This program cannot be run in DOS mode|2e|"; flowbits:isset,NF-IPHOST; reference:url,networkforensic.dk; metadata:08092018; classtype:misc-activity; sid:5026006; rev:1;)
Recommendations/Investigative actions
Configure your network security devices (e.g., firewalls, proxies) to block the transmission of executable files (such as .exe) over HTTP traffic. Preventing the delivery of potentially malicious executable files can reduce the risk of malware infections. Authorize the connection. If the connection was approved - archive and baseline the rule. If not - check the connection and investigate the file and the relevant IP address.