alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:exploit-kit; sid:2016018; rev:2; metadata:created_at 2012_12_12, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2019_07_26;)