alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Potential Blackhole Exploit Pack Binary Load Request"; flow:established,to_server; flowbits:set,et.exploitkitlanding; http.uri; content:".php?f="; fast_pattern; content:"&e="; pcre:"/^[^?#]+?\.php\?f=\w+&e=\d+$/"; http.header_names; content:!"Referer|0d 0a|"; content:"User-Agent|0d 0a|"; content:"Host|0d 0a|"; distance:0; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2012169; rev:11; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2011_01_07, deployment Perimeter, malware_family Blackhole, performance_impact Significant, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2024_04_09;)