sid:5002819 generates lots of false positives for .enc file extension #16
Description
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg:"[WINDOWS-MALWARE] TrueCrypter Rakhni or .CryptoHasYou. - Trojan:Win32/Dynamer!ac ransomware extension detected."; pcre: "/ 4663: | 567: | 5145: /"; content:!"\encoding"; nocase; meta_content: ".%sagan% ",enc,cryptohasyou; meta_nocase; program: Security; classtype: trojan-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5002819; reference: url,docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g; reference: url,www.nyxbone.com/malware/RansomwareOverview.html; sid:5002819; rev:7;)