Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; urilen:>70; http.uri; content:"/?"; content:"|3b|"; distance:64; within:1; content:"|3b|"; distance:1; within:1; isdataat:!2,relative; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d$/"; http.user_agent; content:!"Java/"; classtype:exploit-kit; sid:2013098; rev:4; metadata:affected_product Any, attack_target Client_Endpoint, created_at 2011_06_22, deployment Perimeter, confidence Medium, signature_severity Major, tag DriveBy, updated_at 2024_02_06;)