We are receiving this event "EXPLOIT-KIT Gong Da exploit kit possible jar download (1:27706:3)" from Cisco Firepower IPS. 

We tried to find which file in our server is causing this event, and from the IPS Pack Text we found this:

Packet Text 
....l@....J..E.....@.@..
..#...I......!....qP..s....PK..........GG............C...<Path><File>...7...}i....%m .P*.Q'..........GU......Z..3E..~.'.S.`=w.......

The above is part of the packet text in order not to disclose too much information. Also, <Path><File> in the Packet Text is actually the real path and file which can be found on the our server - they are not disclosed here to in order not to disclose sensitive information.

 Since the server is being maintained by external developers. we must first confirm this is a really true positive event so that we can the developers to take follow up action. To confirm, we uploaded the file <File> to VirusTotal, and no security vendors there flagged this file as malicious. This really puts us in a dilemma - the developers would say something like "what should I do when there are so many security vendors do not think this file as malicious.

  So is there other ways to let us confirm? Any advice would be appreciated.

/////////////////////////////////////////////////

The rule:

"alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Gong Da exploit kit possible jar download"; flow:to_client,established; flowbits:isset,file.jpeg|file.png|file.gif; file_data; content:"PK"; depth:2; content:".class"; fast_pattern:only; metadata:policy max-detect-ips drop, service http; reference:cve,2011-2140; reference:cve,2011-3544; reference:cve,2012-0003; reference:cve,2012-0422; reference:cve,2012-0507; reference:cve,2012-0634; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:cve,2012-4792; reference:cve,2012-4969; reference:cve,2012-5076; reference:cve,2013-1493; classtype:trojan-activity; sid:27706; rev:3; gid:1; )"