alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SERVER LOIC Javascript DDoS Inbound"; flow:established,to_server; threshold:type both, track by_src, count 5, seconds 60; http.method; content:"GET"; http.uri; content:"?id="; content:"&msg="; distance:13; within:5; pcre:"/\?id=[0-9]{13}&msg=[^&]+$/"; reference:url,isc.sans.org/diary/Javascript+DDoS+Tool+Analysis/12442; reference:url,www.wired.com/threatlevel/2012/01/anons-rickroll-botnet; classtype:attempted-dos; sid:2014140; rev:6; metadata:created_at 2012_01_23, signature_severity Major, updated_at 2020_04_23;)