Snort Rule to Detect Single JS or VBS file in ZIP file

Question

How can I make use of Snort rule to find ZIP files being downloaded that contain only a single .js or .vbs file?

Thought of using pcre -> ^PK.+.(js|JS|Js|jS)

Sample of traffic:
HTTP/1.1 200 OK
Date: Wed, 19 Apr 2017 19:46:43 GMT
Server: Apache
X-Powered-By: PHP/5.3.29
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment;
filename="document__917_8324_94_Apr___19___2017_09__44___27.zip" Content-Transfer-Encoding: binary
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/octet-stream

4295b
PK...........JV...M(...G..<...document__59020_001366_8039__Apr___19___2017__09__44___27.jsUT .....X...Xux...............gs.L.-.~?..?P.( %R.<[email protected].......[.2..4.g.{..{....s...&......2.w..V.;u.f.'.....3<........m<..>..8..Z.K6...k.....q.7...v4z........_.....)...w..Zosw......X.4..2."..z>..o.....Q6.G.A6.i.......Muz..T.}.kf..z.W..._O......J.#.;S.{....,..k...z...lu.Y;.J..^.......P=[..jg.m65..........SY.1..F..z{.L..,.L...~o.Me..V.....a}<.N .....x....;..]..~T..n...G........z>..o.Y.........M...+.z...^.P_w.(...|.2.,.{.]...........W..;.......lL...Wv..p..r..1}.........]...r..Wwg.gYr....>.-..6.....:+.'..~.1...?.Nj'G_..........m...r...r..S.m.W.....<......wE...f.E....a...M

Answer 1

alert tcp any any -> any any (msg:"TEST"; file_data; content:"|0D 0A 0D 0A 50 4B|"; nocase; pcre:"/\x0D\x0A\x0D\x0APK.+?\.js/i"; sid:1000000;)

content:"|0D 0A 0D 0A 50 4B|"; option is matched with ....PK

And i option of PCRE means ignore case sensitive.

And file_data option inspect http response. http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004528000000000000000