Rule History

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Possible Malvertising Redirect to EK M1"; flow:established,to_client; http.stat_code; content:"200"; http.header; content:"Content-Encoding|3a 20|gzip|0d 0a|"; file.data; content:"<script|20|"; content:"new Date()).getTime()|3b|"; nocase; distance:0; content:".php?JBOSSESSION="; distance:0; fast_pattern; content:"window.location.href="; distance:0; content:"<script|20|"; pcre:"/^\s*type\s*=\s*[\x22\x27]\s*text\/javascript\s*[\x22\x27]\s*>\s+var\s*(?P<timestamp>[A-Za-z0-9]{1,25})\s*=\s*\(new\sDate\(\)\)\.getTime\(\)\;\s+(?P<url>[A-Za-z0-9]{1,25})\s*=\s*[\x22\x27]\s*[^\r\n]+\.php\?JBOSSESSION=\s*[\x22\x27]\s+(?P<urlvar2>[A-Za-z0-9]{1,25})\s*=\s*(?P=url)\s*\+\s*(?P=timestamp)\s+window\.location\.href\s*=\s*(?P=urlvar2)\s+/Rsi"; content:"</script>"; distance:0; classtype:exploit-kit; sid:2025912; rev:2; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, created_at 2018_07_26, deployment Perimeter, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_08_25;)