alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT tdsshop Inject Script M1"; flow:established,to_client; http.stat_code; content:"200"; http.content_type; content:"application/javascript"; http.response_body; content:"function getVisitorId()"; distance:0; content:"_tj_vid"; distance:0; content:"function sendReport()"; distance:0; content:"location.hostname "; distance:0; content:"location.pathname"; distance:0; content:"location.search"; distance:0; content:"getVisitorId"; distance:0; content:"/collect.php"; distance:0; content:"navigator.sendBeacon"; distance:0; content:"new|20|Image|28 29 2e|src|20 3d 20|url|20 2b 20 27 3f 27 20 2b 20|qs|20 2b 20 27 26 5f 3d 27 20 2b 20|Date|2e|now|28 29 3b|"; fast_pattern; distance:0; reference:url,silentpush.com/blog/drivesurge/; classtype:exploit-kit; sid:2069947; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_06_15, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Critical, tag Exploit_Kit, tag TDS, tag compromised_website, tag tdsshop, updated_at 2026_06_15, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:src_ip;)