alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT tdsshop Web Inject Payload Request"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"repo?rnd="; depth:20; fast_pattern; pcre:"/^0\x2e(?:\d{15,18})&ts\x3d\d{13}$/R"; classtype:exploit-kit; sid:2069949; rev:1; metadata:attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_06_15, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Critical, tag Exploit_Kit, tag TDS, tag compromised_website, tag tdsshop, updated_at 2026_06_16, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:src_ip;)