alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT Balada Javascript Inject Observed"; flow:established,to_client; http.response_body; content:"time|5c|x20zone|5c|x20check|5c|x20failed"; content:"time|5c|x20zone|5c|x20err"; content:"can|5c|x20not|5c|x20apply|5c|x20reverse"; fast_pattern; content:"reverse|5c|x20err"; classtype:exploit-kit; sid:2069998; rev:1; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2026_06_17, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit_Kit, tag compromised_website, updated_at 2026_06_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)