alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document|2e|getElementById|28|"; distance:0; content:"|2e|MapZone|28|"; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:5; metadata:created_at 2011_01_05, confidence Medium, signature_severity Major, updated_at 2020_08_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)