alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"<pre id=|22|"; content:"style=|22|display|3A|none|3B 22 3E|"; within:100; isdataat:400,relative; content:!"|20|"; within:400; content:!"pre|3E|"; within:400; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|3C 2F|pre|3E|3Cscript|3E|"; fast_pattern; distance:400; pcre:"/display\x3Anone\x3B\x22\x3E[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}[^\r\n]*\x3C\x2Fpre\x3E\x3Cscript\x3E/sm"; classtype:trojan-activity; sid:2014820; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2012_05_30, deployment Perimeter, malware_family Blackhole, signature_severity Critical, tag Blackhole, tag Exploit_Kit, updated_at 2019_07_26, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1027, mitre_technique_name Obfuscated_Files_or_Information;)