title: Flash Player Update from Suspicious Location
status: experimental
description: Detects a flashplayer update from an unofficial location
references:
    - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb
author: Florian Roth
logsource:
    category: proxy
detection:
    selection:
        cs-uri-query: 
            - '*/install_flash_player.exe'
            - '*/flash_install.php*'
    filter:
        cs-uri-query: '*.adobe.com/*'
    condition: selection and not filter
falsepositives:
    - Unknown flash download locations
level: high