Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT DRIVEBY Nuclear EK Landing Dec 29 2014"; flow:from_server,established; file_data; content:"|2f 67 2c 27 27 29 3b 7d 65 6c 73 65 7b 72 65 74 75 72 6e|"; fast_pattern; content:"Function"; pcre:"/^\s*?\x28\s*?[\x22\x27](?P<var1>[^\x22\x27]+)[\x22\x27]\s*,\s*[\x22\x27]if\s*?\x28(?P=var1)\s*\!\s*=\s*[\x27\x22][\x22\x27]\s*?\x29\s*?\{\s*?(?P<var2>[^\s\x3d]+)\s*?=\s*?(?P=var1)\s*?\[/Rs"; classtype:exploit-kit; sid:2020082; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Any, attack_target Client_Endpoint, created_at 2014_12_30, deployment Perimeter, malware_family Nuclear, confidence High, signature_severity Critical, tag DriveBy, tag Exploit_Kit, tag Nuclear, updated_at 2019_10_08;)