alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"GET"; http_method; content:"/flow"; fast_pattern; depth:5; http_uri; pcre:"/^\d{1,2}\.php$/UR"; content:".ru"; http_host; isdataat:!1,relative; classtype:exploit-kit; sid:2015897; rev:4; metadata:created_at 2012_11_20, confidence Medium, signature_severity Major, tag TDS, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_02_04;)