alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT_KIT BegOp Exploit Kit Payload"; flow:established,to_client; http.content_type; content:"image/"; startswith; fast_pattern; file.data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:exploit-kit; sid:2015783; rev:7; metadata:created_at 2012_10_06, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_29;)