rule SuspiciousDownloader {
strings:
$a = "powershell -enc" nocase
$b = "Invoke-WebRequest" nocase
$c = "http://" nocase
condition:
allowed_types = ['image/png', 'image/jpeg', 'application/pdf']
uploaded = params.require(:document)
raise ActionController::BadRequest, 'file too large' if uploaded.size > 10.megabytes
raise ActionController::BadRequest, 'type not allowed' unless allowed_types.include?(uploaded.content_type)