Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Magnitude Flash Exploit (IE) M2"; flow:established,to_server; urilen:<70; http.uri; content:!".swf"; nocase; pcre:"/^\/(?:\??[a-f0-9]{32,64}\/?)?$/"; http.header_names; content:"|0d 0a|x-flash-version|0d 0a|"; fast_pattern; http.header; pcre:"/Referer\x3a\x20http\x3a\x2f+(?P<dl1>[^\x2e\r\n]+)\x2e[^\x2f\r\n]*?(?P<dl2>\x2e[^\x2e\r\n\x2f]+\x2e[^\x2e\x2f\r\n]+)\x2f(?:\??[a-f0-9]{32,64}\/?)?\r\n.*?Host\x3a\x20(?!(?P=dl1))[^\r\n]*?(?P=dl2)\r\n/sm"; classtype:exploit-kit; sid:2020895; rev:8; metadata:created_at 2015_04_11, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_03;)